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Introduction 


-□ 


This annual report is based on the activities of the Aerospace Safety Advisory 
Panel in calendar year 2000. During this year, the construction of the 
International Space Station (ISS) moved into high gear. The launch of the 
Russian Service Module was followed by three Space Shuttle construction 
and logistics flights and the deployment of the Expedition One crew 
Continuous habitation of the ISS has begun. To date, both the ISS and Space 
Shuttle programs have met or exceeded most of their flight objectives. In spite 
of the intensity of these efforts, it is clear that safety was always placed ahead 
of cost and schedule. This safety consciousness permitted the Panel to devote 
more of its efforts to examining the long-term picture. 

With ISS construction accelerating, demands on the Space Shuttle will 
increase. While Russian Soyuz and Progress spacecraft will make some 
flights, the Space Shuttle remains the primary vehicle to sustain the ISS 
and all other U.S. activities that require humans in space. Development of 
a next generation, human-rated vehicle has slowed due to a variety of 
technological problems and the absence of an approach that can accom- 
plish the task significantly better than the Space Shuttle. Moreover, even 
if a viable design were currently available, the realities of funding and 
development cycles suggest that it would take many years to bring it to 
fruition. Thus, it is inescapable that for the foreseeable future the Space 
Shuttle will be the only human rated vehicle available to the U.S. space 
program for support of the ISS and other missions requiring humans. Use 
of the Space Shuttle will extend well beyond current planning, and is like 
ly to continue for the life of the ISS. 

The Panel is not concerned about the ability of the Space Shuttle to safe 
ly support immediate flight needs. Both NASA and its contractors have 
repeatedly demonstrated their commitment to safety and their willing- 
ness to delay launching until risks are fully understood and managed. 
Concern arises, however, for the longer term because the planning horizon 
for the Space Shuttle is too short. This has forced some improvements to 
be deferred until a decision is made on the Space Shuttle s successor. A 
shorter than realistic planned life for the Space Shuttle also has the 
potential to stifle those safety improvements with longer development 
times. Simply, these improvements will not appear to be cost effective 
unless a realistic service life is used in any benefit analysis. 

Given the likely lead times associated with the definition, funding, and devel 
opment of a new human-rated space vehicle, the Space Shuttle should be 
acknowledged as the primary method for humans to reach the ISS through- 
out the Stations life. The Panel firmly believes that a timely commitment to 
Space Shuttle operations for the life of the ISS from NASA, the 
Administration, and the Congress is essential to the long-term safety and via- 
bility of the Space Shuttle and ISS programs. This need for a timely and 
emphatic commitment is the overarching theme of this report. 

The importance of adopting a realistic planning horizon goes beyond the 
obvious issues of countering obsolescence, providing adequate logistics, 
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and maximizing the availability of the Space Shuttles to meet mission 
objectives. A firm, national commitment to the use of the Space Shuttle for 
at least the life of the ISS provides assurance to the existing workforce 
that they have a viable career path. This morale booster also will help 
assure the availability of critical skills. 

The Space Shuttle has proved to be robust and capable. Various upgrade 
efforts such as the Block II main engines, improvements to the solid rocket 
booster, and additional shielding of the heat exchanger have made signifi- 
cant reductions in operating risk. There are, however, other product improve- 
ment efforts that can further enhance the safety and operability of the Space 
Shuttle, particularly if it is to fly for an additional 20 years or more. The fail 
ure to adopt as many of these as possible in a timely manner would be ill 
advised. Delaying the implementation of some of the identified improve- 
ments while awaiting a decision on the service life of the Space Shuttle 
exposes flight crews to higher levels of risk for longer than necessary. 

A robust, realistic, full life-cycle Space Shuttle improvement program 
should focus on ground as well as flight elements and consider phasing in 
safety improvements that will last for the entire expected life of the Space 
Shuttle as soon as possible. 

It also is worth noting the striking parallels between NASA’s workforce and 
its aging facilities, ground support equipment, and test and checkout gear 
(“infrastructure”). Both workforce and infrastructure are “invisible” issues 
that rarely rate front-page attention. There is a comparable tendency to 
“make do” with job losses and infrastructure deficiencies, relying instead on 
short run fixes. In most cases these fixes are sufficient in the short-run, even 
as the foundation upon which NASA’s space and aeronautics programs ulti 
mately rests continues to erode. The investments needed to address these 
problems must always compete with what appear to be more urgent or glam 
orous tasks. Yet, with infrastructure, as with workforce, sustained shortfalls 
in these resources will eventually compromise NASA’s ability to carry out its 
challenging mission. For this reason, the Panel believes it is important to give 
priority attention to infrastructure concerns in much the same way as it 
directed the spotlight on workforce during the past several years. 

The findings and recommendations in Section II of this report and the 
information in support of those findings and recommendations (Section 
III) provide suggestions for management and planning activities as well 
as specific actions that the Panel believes would enhance short- and long- 
term safety. Appendix A contains a current roster of Panel members, con 
sultants, and staff. NASA’s response to the findings and recommendations 
from the 1999 Aerospace Safety Advisory Panel Annual Report is included 
as Appendix B. Also in Appendix B is the Panel’s assessment of the extent 
to which NASA’s response addressed each of the issues raised. Appendix 
C lists the activities of the Panel in 2000. 

During the year, Captain Robert L. (“Hoot”) Gibson (USN, Ret.) left as a 
consultant to the Panel. Colonel Sidney M. Gutierrez (USAF, Ret.), a 
retired Space Shuttle commander, and the Honorable Robert T. Francis II, 
formerly vice chairman of the National Transportation Safety Board, 
joined the Panel as consultants. 
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Space Shuttle 

The Space Shuttle Program (SSP) has responded well to the challenges of 
an increased flight rate and the need to recover from what proved to be 
over-ambitious workforce downsizing. While there are lingering valid con 
cerns with regard to aging equipment and infrastructure; the quality of 
work paper; a changing workforce; and the need to keep pace with the 
launch demands of the International Space Station (ISS) , the Panel is con 
vinced that the principle, “Safety first, schedule second,” is alive and well. 
This was amply demonstrated by the decisions to delay launches while 
potential safety problems were resolved. The willingness of workers to call 
a “time out” when they were unsure about assembly and processing tasks 
illustrates a commendable safety commitment. 

Examples of positive achievements by the SSP include: 

* Successful checkout and pre-launch activities were carried out at one- 
month intervals subsequent to launch of the Russian Service Module. 

* A Process Control Focus Group was established and is off to a good start. 

* The Block IIA Space Shuttle Main Engines have performed well in 
flights this year. 

* The High Pressure Fuel Turbopump/Alternate has completed its two- 
unit certification test program. In addition, the High Pressure 
Oxygen Turbopump/Alternate has demonstrated a ten flight interval 
between rebuilds. 

* Both the Reusable Solid Rocket Motor and External Tank production 
and delivery plans provide positive margins for planned Kennedy 
Space Center (KSC) operations. 

* Answers to important questions about tank slosh modes during abort 
are now being developed. 

* Simulator studies of contingency aborts to East Coast landing sites 
are underway. 

The Panel looks forward to the successful completion of these and 
related efforts. 

The sustained safety awareness of the SSP is reflected in a decrease in 
specific findings and recommendations listed below. This should not be 
interpreted as a lack of issues pertinent to the SSP, however. To the con- 
trary, there are a number of Panel concerns beyond those in the findings 
and recommendations that will be looked into by the Panel in the coming 
year. Among these are the following: 

* Crew escape. The Panel recommends, below, that the absence of an expand- 
ed crew escape capability be addressed as a significant safety upgrade. 
Crew escape will be an item of special interest for the Panel in 2001. 

* Logistics. The ability of the existing logistics management structure 
and resources to support the Space Shuttle for its life is questionable. 
The Panel will be examining long-term logistics issues during 200 1 . 
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Finding #1 


The current planning horizon for the Space Shuttle does not afford oppor- 
tunity for safety improvements that will be needed in the years beyond 
that horizon. 


Recommendation #1 

Extend the planning horizon to cover a Space Shuttle life that matches a 
realistic design, development, and flight qualification schedule for an 
alternative human-rated launch vehicle. 
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Finding #2 


There is no in flight crew escape system for the Orbiter other than for 
abort below 20,000 feet during a controlled glide. 


Recommendation #2 

Complete the ongoing studies of crew escape design options and imple- 
ment an improved system as soon as possible. 
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Finding #3 


Redundant hydraulic lines for the three orbiter hydraulic systems are not 
adequately separated to preclude loss of all hydraulic power in the event 
of a single catastrophic failure of adjacent hardware. 


Recommendation #3 

Provide the same degree of separation of redundant critical hydraulic 
lines as is given to redundant critical electrical wiring. 
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Launch and Landing 

The processing of the Space Shuttle preparatory to flight at KSC is a com- 
plex, labor-intensive, mission- and safety-critical activity The processing 
is controlled by requirements that flow down to the work floor in the form 
of work instructions or “work paper.” Ground processing at KSC also 
involves numerous hazardous operations. 

Because of the importance of KSC ground processing to overall Space 
Shuttle safety, the Panel maintains a standing team devoted to fact-find- 
ing at the center. A special task group has also been formed to address the 
ongoing initiative to improve work paper to support KSC ground process- 
ing. 

In addition to the quality of the work instructions, the KSC team focused 
during the year on other factors related to ground processing that have 
the potential to impact Space Shuttle and KSC worker safety. Among 
these are workforce composition and critical skills, morale, the extent and 
condition of ground support equipment and fixed infrastructure, and cen- 
ter policies and organization. The KSC team assesses these factors 
through regular visits that includes onsite examinations and both sched 
tiled and impromptu conversations with the workforce. This provides con 
tinuity to the teams evaluation to help see beyond the short-term impact 
of highly publicized events, such as the hiring of new personnel and inci 
dents during processing and launch attempts. 


Two specific findings and three recommendations dealing directly with 
launch processing at KSC follow. 


findings and 
recommendations 



Finding #4 


The ongoing effort to improve the work paper used at KSC by incorporat- 
ing outstanding deviations and clarifying and simplifying the work 
instructions is proceeding well. Some lesser effort has been focused on 
improving the vehicle engineering drawings and reducing the engineering 
orders (EOs) they contain. 


Recommendation #4a 

Continue vigorous efforts to upgrade the work paper, even as the flight 
rate increases, in order to maintain the positive momentum that this 
worthwhile initiative has generated. 


Recommendation #4b 

Focus additional effort on updating vehicle engineering drawings with the 
objectives of incorporating as many EOs as possible and assuring the clar 
ity of all information. 
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Finding #5 


The KSC facilities, ground support equipment, and test and checkout gear 
to support Space Shuttle processing and launch operations continue to 
age. The status of the potential readiness of these essential assets has 
been projected, but there is no detailed, funded plan to ensure that this 
aging infrastructure can safely support the Space Shuttle for its likely 
operational life. 


Recommendation #5 

Develop a detailed plan and budget to maintain and upgrade the KSC 
assets that are essential to the safe operation of the Space Shuttle for its 
reasonably expected flight life so that an appropriate infrastructure life 
extension program can be implemented. 
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International Space Station 
and Crew Return Vehicle 


International Space Station (ISS) 

With the launch of the Service Module, the ISS has begun the long- 
planned program to finish assembly on orbit. The first three-person crew 
arrived on board in October, and the Space Shuttle launch rate has 
increased. Over the next few years seven to eight Space Shuttle launches 
per year plus Russian launches for resupply will be carried out. This high 
er launch rate raises several issues of logistics, training, and operations, 
some of which are reflected in findings and recommendations in other sec- 
tions of this report. 

The danger to the ISS of impact from micrometeoroids and orbital debris 
(MM/OD) has been reported over the last several years in the Panels 
reports. The ISS still remains more vulnerable than it is expected to be in 
its final configuration because shielding for the Service Module is not 
scheduled to be available for assembly for three years. The ISS Program 
is keenly aware of this issue and continues to seek a way to accelerate 
manufacture and assembly. The Panel will continue to monitor this and 
other MM/OD issues. 

Over several years, the Panel also has addressed issues associated with 
damage detection, assessment, control, and repair. Several years ago the 
ISS Program created an Integrated Task Team to deal with these issues 
and good progress has been made. The Panel intends to thoroughly review 
this area during the upcoming year. 

There is a single finding with respect to the ISS. 
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Finding #6 


Due to the rapid pace of ISS assembly launches and the many and varied 
resulting configurations, Multi-Element Integration Testing (MEIT) with 
operational loads of Portable Computer System (PCS) software is limited 
and, in some cases, may only be accomplished in the brief time allocated 
for regression testing. 


Recommendation #6 

Strive to accelerate scheduled releases for PCS software. Be prepared to 
delay schedules, if necessary, to assure that MEIT testing and astronaut 
training with the flight loads of PCS software are thorough and complete. 


22 


aerospace safety 
advisory panel 
annual report for 2000 



Crew Return Vehicle (CRV) 

A CRV team within the Panel was established early in the year to focus 
on the safety aspects of the NASA effort to develop a suitable “lifeboat” for 
the ISS. It appears that good progress is being made in validating the 
parafoil deployment system and in meeting the requirements of the 
newly-developed NASA Human Rating Standard. The X-38 (V201) Space 
Flight Test Plan for the final validation flight from the Space Shuttle on 
orbit scheduled for early 2002 also is progressing. 

As discussed in last year’s report, the ISS Program has decided to use one 
seven-person U.S.CRV and one three-person Russian Soyuz CRV as the 
configuration at assembly complete. The Panel is concerned about the pos- 
sible unavailability of the Russian-built Soyuz and the subsequent impact 
on full-crew operation over the life of the ISS. However, the Panel has 
received assurances from NASA management that Soyuz availability is 
being monitored closely by NASA teams within Russia, and that in any 
event no deviations from the current safety rules will be permitted. 

During a drop test of the X-38 at the Dryden Flight Research Center 
(DFRC) , the test vehicle exhibited severe pitch and roll oscillations as part 
of repositioning during the drogue chute deployment prior to the main 
parafoil deployment. While within requirements, these oscillations were 
certainly undesirable. The CRV project has already taken steps to damp- 
en these repositioning dynamics, and the subsequent X-38 Phase 3 Drop 
6 test exhibited much more benign repositioning behavior. 

Specific findings and recommendations follow. 
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Finding #7 


The specific definition of many of the tests identified in the draft X 38 
(V201) Space Flight Test Plan appears to be lagging. The return from orbit 
test specified by this plan is the final planned validation of the X 38 vehi 
cle and derived CRY. 


Recommendation #7 

Establish a timetable for the early completion of the detailed X 38 (V201) 
Space Flight Test Plan. Sufficient time must be made available for a thor 
ough review process and for possible changes in the plan resulting from 
the review. 
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Finding #8 


Because of the innovative processes used, there is some possibility that all 
of the design knowledge related to safety issues that has been acquired by 
the NASA X-38 team may not be transferred to the contractor selected to 
build the operational CRV. 


Recommendation #8 

Develop a plan to ensure that all of the design experience gained by NASA 
in the X 38 technology validation effort is transferred to the contractor 
selected to produce the operational CRY 
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Aerospace Technology 


The Aerospace Technology Enterprise accelerated the shift from predom- 
inantly near-term aeronautical technologies to projects that relate to the 
needs of future space transportation systems. The largest impact of this 
shift was noted at the Langley Research Center (LaRC) where the skills 
of the staff working on the cancelled High Speed Transport (HST) and 
Advanced Subsonic Research (ASR) programs were not a good match for 
new Intelligent Synthesis Environment (ISE) and Space Transportation 
activities. Although it is disturbing that the Enterprise has significantly 
reduced resources for the aviation sector, it is encouraging to note that the 
Aviation Safety Program has been maintained and has taken up some of 
the safety projects that were formerly in the cancelled aeronautics pro- 
grams. On the other hand, the Panel is concerned that the wind tunnel 
activity sponsored by government and industry at both LaRC and the 
Ames Research Center (ARC) appears to be declining. 

In the general aviation area, the Small Aircraft Transportation System 
(SATS) Program is a natural follow-on to the Advanced General Aviation 
Transport Experiments (AGATE) Program. SATS is aimed directly at low 
ering cost and increasing safety at the lower end of the general aviation 
spectrum where the accident rate is the highest. Clearly, this is a large 
challenge. However, the program fully recognizes this and has a strong 
emphasis on flight training, crashworthiness, and the demonstration of 
high reliability of inexpensive flight components. 

There has been an increase in emphasis on the technologies associated 
with unoccupied vehicles and the use of them for testing advanced con 
cepts. The various Unoccupied Air Vehicles (UAV), such as Perseus and X 
34, form a comprehensive set of technology expansion efforts in the high 
altitude/long duration flight region and contribute to the ability to provide 
earth science information and subscale models for proof-of-concept flight 
demonstrations. 

The NASA/FAA cooperative effort to improve safety in the civil aviation 
area is excellent. The “Future Flight Central,” a full simulation of a large 
city control tower housed at ARC, will improve existing and future control 
tower safety. The Advanced Air Transportation Technologies Project is 
making good progress towards improving the efficiency and safety of the 
Air Traffic Control system. 

The Panel has also noted that some Aerospace Technology programs are 
considering replacing the use of traditional factors of safety with 
Probabilistic Risk Assessments (PRAs). The Panel has long supported 
PRA as a design tool to assess trade-offs; however, there is concern with 
using PRA as the primary means of assuring adequate design margins. 
The Panel plans to examine this issue in more detail. 

The “Design for Safety” concept centered at ARC has admirable goals but 
seems to focus on the premise that model-based digital prototyping can 
replace the individual expertise currently needed for the design process. 
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To do this successfully, a high degree of validated expert knowledge and 
probabilistic data must be employed in the system modeling and pro- 
grammed reasoning. The panel will review the progress on this effort dur- 
ing 2001. 

An ongoing research program at the Dryden Flight Research Center 
(DFRC) is examining an Advanced Aeroelastic Wing (AAW) on an F/A- 18 
aircraft. The flutter limits of the F/A 18 AAW configuration were judged 
to be satisfactory by comparison to the original F/A 18 wing. Detailed flut- 
ter analyses were performed or are planned based on the differences 
between the original and test wings. Since there can potentially be other 
significant variation in the two wings, there may be differences in the flut- 
ter boundaries that may not be obvious. The Panel will continue to follow 
the efforts of this project. 

Specific findings and recommendations follow. 
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Finding #9 


The overall ARC flight operations, including the Stratospheric 
Observatory for Infrared Astronomy (SOFIA) science program manage- 
ment communication and coordination, have improved significantly but 
still merit close management oversight with specific attention to early 
and continuous integration of flight operations personnel into the project. 


Recommendation #9 

ARC flight operations personnel should continue to increase their cog- 
nizance of the aircraft modification activities to insure timely coordina- 
tion and implementation of flight operations requirements. 
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Finding #10 


Not all Aviation Safety Officers (ASOs) report directly to their Center 
Directors. 


Recommendation #10 

ASOs should report directly to their Center Directors. 


32 


aerospace safety 
advisory panel 
annual report for 2000 




Cross Program Areas 


Workforce 


This past year NASA declared downsizing and hiring freezes at an end 
and initiated a modest expansion of the workforce, abandoning the per- 
sonnel targets that were initially established by the Zero Base Review 
(ZBR) in the mid 1990s. The Panel applauds this change and believes it 
will, over time, lead to a workforce better able to carry out NASA's mis- 
sion more safely 

This shift in direction provided badly needed relief, in particular, to the 
Office of Space Flight centers — KSC, Johnson Space Center (JSC), and 
Marshall Space Flight Center (MSFC). These centers were experiencing 
growing shortages in critical skills and a general lack of human resources 
needed to sustain the increasing flight rate of the Space Shuttle and ISS 
assembly NASA contractors were facing comparable shortfalls in person 
nel after several years of downsizing. Recruitment of NASA's next gener 
ation of leaders had also ground to a halt. 

All at once, however, the centers and contractors found themselves facing 
the new challenge of carrying out this change in workforce direction. 
Recruitment and training of “fresh outs," a task that had been all but 
abandoned, suddenly assumed high priority along with locating experi 
enced persons to fill critical skills shortages. In addition, a number of sen 
ior employees have continued to retire and some leave NASA for other 
employers. Stress levels among some employees still are a matter of con 
cern. In other words, workforce issues continue to merit the Panel's atten 
tion. 

Three findings and seven recommendations on workforce are presented 
below. 
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Finding #11 


The critical skills challenge faced by NASA and its contractors in the 
Space Shuttle and ISS programs continues despite resumption of active 
recruiting of experienced and new employees. 


Recommendation #1 1 

Provide more effective incentives to retain employees with critical skills 
in such areas as Information Technology and Electrical/Electronic 
Engineering. Continue active recruiting of experienced and “fresh-out” 
employees, using appropriate incentives when necessary. 
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Finding #12 


NASA’s recent hiring of inexperienced personnel, along with continuing 
shortages of experienced, highly -skilled workers, has produced the chal- 
lenge of training and integrating employees into organizations that are 
highly pressured by the expanded Space Shuttle flight rates associated 
with the ISS. There is no systematic effort to capture the knowledge of 
experienced personnel before they leave. Stress levels within the work 
force are a continuing concern. 


Recommendation #12a 

Provide active mentoring and other career development incentives to 
bring new employees to full productivity as rapidly as can be accom- 
plished with safety remaining paramount. Expand resources and delivery 
methods available to Agency level training programs to enable greater 
participation at Center and program levels. 


Recommendation #1 2b 

Continue efforts, in partnership with NASA contractors, where appropri 
ate, to provide hands-on experience. 
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Recommendation #12c 

Establish processes that capture the knowledge of experienced personnel 
before they leave or retire. 


Recommendation #1 2d 

Help employees deal positively with work- related stress. 


Recommendation #12e 

Implement an evaluation of the processes used to develop new hires into 
productive members of the workforce. 



Finding #1 3 


Recent downsizing and limitations on hiring have produced a workforce 
with aberrations in normal career development patterns and a potential 
future shortage of experienced leadership. 


Recommendation #13 

Develop and implement a long-term workforce plan, focused on retention, 
recruitment, training, succession, and career development needs, with at 
least a five-year time horizon that will ensure the availability of compe- 
tent and experienced leaders. Also provide a strengthened capability in 
organizational development. 
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Computer Hardware/Software 


Computer issues have continued to play an important role in NASAs 
activities during the past year in such areas as computer security ISS 
computer systems, Space Shuttle avionics upgrades, ground support com 
puter systems, and independent verification and validation (IV&V) activ- 
ities. During 2000, the Panel continued its attention to issues raised in its 
1 999 report, in particular computer security and Space Shuttle avionics 
upgrades, that remain of concern this year. Rather than introduce new, 
similar, items in this year’s report, the Panel has classified some of the 
items from last year as continuing. The Panel is satisfied with the initial 
directions NASA is taking, but realizes that it will take some time for the 
tasks to be completed. The Panel will continue to monitor progress on 
these items. It also has investigated a number of new issues, such as 
changes in the IV&V Facility organization, ISS computer systems, and 
additional aspects of computer security. 

The Checkout and Launch Control System (CLCS) is one of the areas the 
Panel has been following for several years. In the middle of this year, 
NASA made a major change in the organization of this project, bringing 
in a new program manager, transferring significant tasks to contractors, 
extending the completion date, and providing additional funding. The 
Panel will continue to follow these changes in the next year. 

This year has seen major accomplishments in ISS computer systems. The 
software for the initial ISS stages was completed on time, successfully 
launched, and is operating on the ISS computer systems. NASA also has 
successfully agreed with the International Partners for sustaining engi 
neering activities in support of the ISS computer systems. These are 
important steps forward. Nevertheless, the Panel encourages NASA to con 
tinue its efforts to obtain the source code for all software used on the ISS. 
Also, NASA is having a difficult time keeping the utilization of the ISS 
computer systems at the level specified in the requirements. An upgrade to 
the ISS Multiplexer/Demultiplexer (MDM) would help substantially. 

Questions about the development of the PCS arose during the year. The 
Panel’s investigation did not reveal any safety compromises. There are, 
however, concerns about the design of the PCS user interface. Now that 
the ISS is permanently inhabited, experience is being gained with the 
PCS, and it will be possible to see how well it functions. The Panel will 
continue to study this during the coming year. 

In 2000, NASA began its computer security program in earnest. It com- 
pleted most of its first round of security training, conducted initial secu- 
rity evaluations, and had an external contractor conduct penetration 
studies of systems at three NASA centers. Further, NASA withstood sev- 
eral hostile attacks during the year without major consequences. 
Nevertheless, the Panel has some concerns that are discussed below. 
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NASA made a major change in the organization of its agency-level soft- 
ware assurance and IV&V activities. The responsibility for operation of 



the IV&V Facility in Fairmont, West Virginia, was transferred from ARC 
to the Goddard Space Flight Center (GSFC). This change is reasonable 
because of the geographical proximity of the Facility to GSFC and the 
operational nature of the Facility’s work. Efforts to strengthen the uti- 
lization of IV&V throughout NASA were included in the change. It is too 
early to assess the impact of this change. However, the Panel has two con 
cerns that are also addressed later in this report. 

In summary, NASA has made a number of important strides forward in 
its computer activities, but areas of concern to the Panel remain. 
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Finding #14 


While NASA has made major changes to emphasize the need to utilize 
IV&V on safety critical projects, the technology is not well understood by 
program managers and other relevant NASA personnel. 


Recommendation #14 

Develop an appropriate user-centered course and require software assur- 
ance awareness training for all levels of management to help them 
become more cognizant of the IV&V processes and the value IV&V brings 
to a final product. 
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Finding #1 5 


NASA’s reorganized IV&V activities place more emphasis on enforcing 
requirements than on researching and developing methods to perform 
IV&V for such emerging technologies as neural nets and expert systems. 


Recommendation #1 5 

Ensure the continuation of a strong, focused software assurance and peer 
reviewed IV&V research program. 
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Finding #16 


NASA has initiated a well founded, broadly encompassing computer secu 
rity program to ensure that its computer systems are protected from hos- 
tile attacks, but development of security plans for all systems is lagging. 
Also, the function of Computer Security Officer has typically been added 
to the responsibilities of systems administrators. 


Recommendation #16a 

Complete and maintain security plans for all appropriate computer sys- 
tems and ensure that the computer security program is sustaining. 


Recommendation #1 6b 

Ensure that computer systems administrators are properly trained in 
computer security. 
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Finding #1 7 


NASA has initiated plans to have its critical systems processes evaluated 
according to the Capability Maturity Model (CMM) of the Software 
Engineering Institute and to work toward increasing the CMM level of its 
critical systems processes. 


Recommendation #1 7 

Implement the plan and ensure that all critical systems development pro- 
grams comply 
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Finding #18 


The MDMs on the ISS are already at the 65 percent utilization design 
limit of their central processor unit (CPU) with four major software 
releases still to come. There is no identified method for accommodating 
the inevitable increasing demands on the CPU. 


Recommendation #18 

Proceed expeditiously to upgrade the MDM computer system. 
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Extravehicular Activity (EVA) 
and Radiation Protection 
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Following a prolonged period of minimum activity resulting from delays 
in the assembly of the ISS, EVA rolled into high gear in 2000. The trou- 
ble-free execution of these operations reconfirmed the value of detailed 
planning by the EVA Project Office and intensive, realistic pre-mission 
training. 

The current ISS assembly schedule, which requires a significant ramp-up 
of EVA, raises concerns regarding the ability to sustain those operations 
with the current inventory of Extravehicular Mobility Units (EMUs). A 
dropped and damaged EMU caused a perturbation in the EMU logistics 
chain, highlighting the precarious state of that system. The Panel believes 
it is time to invest in the development of a next generation space suit to 
replace the 20 year-old technology EMU and Portable Life Support 
System (PLSS). 

There will be future missions into environments that are too hostile for 
safe human EVA. It is therefore essential to exploit the rapidly evolving 
field of robotics to provide alternatives to EVA as humans venture into 
deep space. 

During 2000, the National Research Council, Space Sciences Board on 
Atmospheric Sciences and Climate, in response to a request by NASA, 
published a report, “Radiation and the International Space Station: 
Recommendations to Reduce Risk.” The report makes six recommenda 
tions that span mission operations, intra agency and inter agency radia 
tion research coordination, and space weather. The Panel has reviewed 
NASA’s intended responses to that report and finds them well founded. 

NASA has, within the recent past, established a very credible research 
program to determine the biological effects of radiation in space and to 
develop effective countermeasures. Despite experience gained in nuclear 
weapons programs and in the military and civilian nuclear power pro- 
grams, the long-term effects of exposure to ionizing radiation are not fully 
understood. A realignment of priorities may be appropriate with empha 
sis on the development of more effective dosimetry, not only for near-term 
requirements, but also for future exploration of space. 

Specific findings and recommendations on EVA and radiation protec- 
tion follow. 



Finding #19 


Even though the most significant unknown in crew composite radiation 
exposure may be the contribution of neutrons, the Evolutionary Plan for 
the Crew Health Care System (CHeCS) only lists a neutron monitor as a 
“Future Medical Requirement,” and a project to fly a neutron detector is 
not planned until Increment 2. 


Recommendation #19 

Accelerate the development of effective and reliable personal and area 
neutron dosimeters. 
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Finding #20 


The current EMU is adequate for the near-term needs of the ISS and the 
Space Shuttle, but its obsolescent technology, high cost, and other limi- 
tations make it unsuitable for future exploration and development of 
deep space. 


Recommendation #20 

Initiate a high priority program to design and develop a next generation 
space suit. 
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Space Shuttle Program 

Space Shuttle 


Ref: Finding #1 

There will likely be no human-rated replacement for the Space Shuttle for 
many years. Nevertheless, the planning horizon for Space Shuttle safety 
and reliability upgrades and for logistics spares is presently set at five 
years. This shorter than realistic expected life for the Space Shuttle has the 
potential to stifle those safety improvements which require longer develop- 
ment times. NASA should reassess its Space Shuttle planning horizon. 
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Ref: Finding #2 


The Presidential Commission on the Shuttle Challenger Accident 
addressed crew escape in their report and recommended that NASA, 
“Make all efforts to provide a crew escape system. ...” NASA responded by 
initiating crew escape studies. Phase I was intended to provide a mini- 
mum system prior to return to flight. Phase II was not tied to the return 
to flight schedule and was intended to provide an automated escape sys- 
tem at a later date uncompromised by the tight return to flight schedule. 
The Phase II study concluded that an automated escape system was fea- 
sible for certain flight regimes and recommended further trade and design 
studies and a focused development program. 

Over the lifetime of the Space Shuttle, a reliable post-launch crew escape 
system will provide the largest potential improvement in crew safety. 
NASA has completed or has underway a number of studies that also sug- 
gest such a system is feasible. The time is past due for the implementa 
tion of a more capable crew escape system. 
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Ref: Finding #3 


The routing of supposedly redundant hydraulic systems in close proximi- 
ty one to another, inside the Orbiter is not good engineering practice and 
could contribute to a vehicle-threatening situation; one event could simul- 
taneously compromise all three systems. A redesign to avoid hydraulic 
systems in close proximity should be started now. 
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Launch and Landing 
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Ref: Finding #4 

Considerable effort has been applied to improving the Space Shuttle 
processing work documentation at the Kennedy Space Center (KSC). 
The United Space Alliance (USA) has formed a team of experienced 
engineers and technicians and tasked it with updating the quality and 
accuracy of the paperwork. The team has developed a revised format 
for the books of work instructions that makes extensive use of graph 
ics and follows the prevailing state-of-the-art in typography and lay- 
out. This application of additional management emphasis and 
resources has led to a reduction in the backlog of unincorporated 
changes and the production of new procedure specifications in a more 
user friendly format. 

The goals set by USA for 2000 have essentially been met. For the unin 
corporated changes (deviations or “devs”), the backlog has been 
reduced over 20 percent. As of this writing in late November, there 
were 4,185 devs open as compared with a goal of 3,969 for December 
31, 2000. This 20 percent reduction was accomplished even though 
approximately 400 deviations per month are still being initiated to the 
work documents currently in use. Nevertheless, the absolute number 
of outstanding devs is still too high, and continuing efforts are needed 
to reduce the count further. 

To date, over 600 of the vehicle and support equipment assembly, test, 
and checkout procedures (“books”) have been reviewed for new format 
conversion. This surpassed the goal of 528 targeted for December 31, 
2000. Of the 600 books reviewed, approximately 10 percent have been 
published and received approval for use. Results have been excellent, 
with essentially no changes required during execution of the proce- 
dures. The ground systems facilities document conversion (to MAXI 
MO software) is expected to achieve 85 percent of this years goal. 

Less effort has been focused on the improvement of engineering draw 
ings than on upgrading the books of work instructions. As a result, 
there are still too many unincorporated engineering orders (EOs) on 
the work drawings. There was at least one processing problem during 
the year (the loss of an elevon tile) the root cause of which was traced 
to confusing drawings. It has been reported that some drawings have 
been updated so many times that they are virtually illegible. NASA 
and its contractors did focus some effort on improving engineering 
drawings, but more work is needed. A concerted, continuing effort by 
the vehicle systems design organizations, such as the one focused on 
work instructions at KSC, is clearly warranted and should be started 
as soon as possible. 

The time required and resource expenditures to complete these activ- 
ities will be considerable. Additionally, the production of new work doc- 
umentation and drawings and the transition to their use must occur 



during ongoing Space Shuttle operations. Handling both an increased 
launch rate and a continued, intensive effort to upgrade paperwork 
and drawings will require dedication and careful management. Even 
with the increased workload generated by more frequent launches, 
however, these improvement efforts should continue to receive high 
priority so the benefits can be realized as soon as possible and poten 
tial future problems can be avoided. 
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Ref: Finding #5 
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The Space Shuttle is destined to be NASA's human-rated launch vehicle 
for the foreseeable future. Like many contemporary aircraft, the Space 
Shuttle can have its life extended almost indefinitely through an appro- 
priate product improvement program. Issues such as parts obsolescence 
in the flight elements and their safety improvement are being addressed 
through the ongoing Space Shuttle upgrades activities. This effort will 
make the vehicle itself safer and easier to maintain. There are, however, 
in addition to the flight elements, numerous support elements on the 
ground that are necessary for the safe preparation, test, checkout, and 
launching of the Space Shuttle. 

Many of the safety critical ground assets for the Space Shuttle are at 
KSC. Most of these assets are 20 or more years old, and many are legacies 
from Apollo or earlier programs. Included are test equipment and facili 
ties; unique ground equipment such as the crawler transporters; ground 
support equipment; launch facilities; and the traditional “infrastructure” 
items such as buildings, cableways, and piping. For some time, the main 
tenance of these assets has focused primarily on assuring their immedi 
ate availability for the next launch. Much long-term maintenance and 
most upgrades have been deferred or never planned due to a lack of 
resources. As a result, the ability of these key assets to support the Space 
Shuttle for its expected flight life has become questionable. 

Both NASA and its contractors have devoted significant effort to ensur 
ing that ground assets are available and safe for each launch. There is 
a firm commitment to call a “time out” from launch activities if there is 
a question about the health of any of the ground systems. Assessments 
also have been made of the extent to which maintenance, refurbish 
ment, and replacement have fallen behind the aging of the various sys 
terns. There is not, however, a coordinated and funded plan to deal with 
this issue for the foreseeable service life of the Space Shuttle. Such a 
plan is needed forthwith as part of an overall effort to define the likely 
service life of the Space Shuttle and to plan for its continued safe, effi- 
cient, and effective operation. 



International Space Station and 
Crew Return Vehicle 


International Space Station (ISS) 


Ref: Finding #6 

The assembly sequence for the ISS requires many launches and results in 
a myriad of ISS configurations with associated requirements for the 
Portable Computer System (PCS) software. The PCS is the primary astro- 
naut interface to the system, especially in monitoring the station and in 
troubleshooting in the event of anomaly or emergency This PCS software 
is necessary for Multi-Element Integrated Testing (MEIT) as well as for 
astronaut training for each flight. Problems can result when the software 
used for testing or training is not the same as the final flight load. The 
potential problems are greater when the softwares basic functionality is 
changed than when the updates between testing and deployment only 
involve improvements in the displays. Regardless of the motivation for or 
nature of a software upgrade, adequate testing with crew participation is 
necessary before it is committed to flight. 

The Panel understands that MEIT testing is often paced by software 
delivery, especially for the PCS. To maximize the amount of testing of the 
basic system, work has been scheduled to proceed without the final soft 
ware for the PCS. There are plans to test the final PCS load via regression 
testing. This is, no doubt, the most expeditious way to proceed, but it does 
restrict the amount of time for testing, catching errors, and, especially, for 
testing and training with astronaut participation. The ISS program 
should therefore use caution to ensure that regression testing is truly suf- 
ficient to assess the flight software and prepare the crews adequately for 
their mission. 
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Crew Return Vehicle (CRV) 


Ref: Finding #7 

Over the past several years, the Panel has followed the X-38 CRV tech 
nology validation program with particular interest to the issues related to 
the safety of the CRV occupants. The scheduled space flight test of the X- 
38 vehicle 201 from the Space Shuttle on orbit is a key element in the 
safety validation of the CRV While many of the individual elements of the 
X-38 CRV and its systems have been individually tested or validated, this 
test from space is a key event in the validation program. Every effort must 
be made to ensure the success of this test. The completion of a detailed 
test plan at a very early date is essential to providing for a thorough 
review of the plan by all of the interested parties, including a possible 
independent review team. 
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Ref: Finding #8 


The X-38 CRV technology validation program is at a critical stage. An 
aerospace contractor is in the process of being selected to design and pro- 
duce the operational crew return vehicles. During the technology valida- 
tion phase of the program, the NASA team conducted many design 
studies, safety analyses, and tests on various elements and systems to be 
used in the operational vehicles. This process of a NASA hand-off to a con 
tractor is innovative. As a result, there is little experience in dealing with 
the necessary information and technology transfer. This leads to a concern 
that the wealth of knowledge gained by the NASA X-38 team may not be 
completely transferred to the selected contractor. Although there has been 
involvement by the potential contractors in the NASA portion of the pro- 
gram, there needs to be a comprehensive plan to ensure that all of the 
design and safety knowledge acquired by NASA is fully utilized by the 
contractor. One approach might be to use NASA engineers to support the 
contractors design team. Other ideas may be forthcoming. In any event, 
the lessons learned by NASA should not be allowed to slip away from the 
designers of the production vehicles. 


59 


information 
in support of 
findings and 
recommendations 



Aerospace Technolo 


Ref: Finding #9 

Safety-related issues associated with the Stratospheric Observatory for 
Infrared Astronomy (SOFIA) include the Boeing 747SP modifications for 
carrying the German provided telescope and plans for acquiring FAA sup- 
plemental-type certification. This also covers significant modifications 
such as skin replacements. The aerodynamic and structural tests of the 
modification have proceeded with satisfactory analytical results and will 
be validated by flight tests in 2001. 

A SOFIA Cockpit Working Group, composed of United Airlines (UAL), 
Universities Space Research Association, Raytheon, and NASA, has been 
established with purview over the cockpit avionics configuration, and 
intends to meet all regulatory requirements and conform to UAL opera- 
tional guidelines. The cockpit configuration is not on the SOFIA schedule 
critical path, and the applicable regulations, avionics technology, and the 
UAL fleet configurations are all evolving. Thus, the decision on the final 
configurations has been delayed until required by the development sched 
ule. As a result, the flight operations for SOFIA are planned for two phas 
es: a flight operations test phase and a science mission phase. 
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Ref: Finding #10 


Experience has demonstrated that the best aviation safety performance 
comes when the chief executive officer of a facility personally retains the 
role of top safety official. This cannot be effected within NASA if the 
Aviation Safety Officer (ASO) is organizationally removed from the 
Center Director. Although each NASA center has a designated ASO, these 
ASOs do not all report directly to their Center Directors. While ASOs may 
have ready access to their Center Directors, their independence in report- 
ing safety problems can be compromised if they are not direct reports. In 
order to assure the prominence of aviation safety within each of the NASA 
centers, all ASOs should report directly to their Center Directors. 
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Cross Program Areas 


Workforce 


Ref: Findings #11-13 

The Panel was gratified that NASA in FY 2000 resumed a more realistic 
approach to meeting its workforce requirements. After several years of 
downsizing and hiring restrictions, NASA permitted its Field Centers to 
resume modest hiring of persons to fill identified gaps in critical skills and 
recruitment of recent graduates (“fresh outs”) to provide engineering and 
management leadership in the future. The United Space Alliance came to 
a similar conclusion in regard to its Space Shuttle processing duties at 
KSC and began augmenting its workforce that had been excessively cut 
over the prior two years. 

These positive changes came after two years of intensive review of work 
force and infrastructure carried out by the Core Capability Assessment 
(CCA). This review documented that the downsizing and Zero Base 
Review (ZBR) targets had especially affected the Office of Space Flight 
(OSF) centers. Extensive fact-finding by the Panel at KSC, JSC, and 
MSFC revealed that an increasing number of critical skills were either 
lacking or one deep. The inability to fill these vacancies except by internal 
NASA transfers raised serious questions about OSFs capability to meet 
the expanded Space Shuttle flight rate associated with assembly of the 
ISS. And, as noted previously, the near total absence of hiring of recent 
graduates raised the threat of leadership shortfalls as senior NASA lead 
ers reached retirement age. 

The approved hiring levels were designed to provide relief for the most 
urgent skill gaps, and make a credible beginning in recruitment and hir- 
ing of fresh-outs. In addition, there were clear intangible benefits to the 
workforce that flowed from the reality that human space flight still had a 
future at NASA. Improvements in employee morale were frequently cited 
to the Panel during its fact-finding trips. KSC was approved for approxi- 
mately 160 new hires (with an immediate emphasis on safety inspectors) ; 
JSC was approved for approximately 170; and MSFC for about 215. Each 
center was directed to use at least 50 percent of these additions for entry- 
level fresh-outs. It is noteworthy that with these additions the employ- 
ment levels at the OSF centers are still at least 20 percent below those 
that prevailed at the time of the ZBR (1994-95). 

The decision to change workforce policy was reached early in calendar 
year 2000. Hence, there was initially real doubt among human resources 
(HR) staff at the centers whether hiring of fresh-outs was feasible since 
recruitment of the best and the brightest in the 2000 graduating class had 
been underway for months. But the response to NASA’s recruitment 
efforts was excellent, far in excess of expectations. HR officers cited 
instances where graduating engineers walked away from earlier offers in 
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order to work in the space program. It is likely that this recruiting success 
will continue. The large number of retirement eligibles at each OSF cen 
ter ensures that vacancies will need to be filled. 
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Success at entry-level hiring brings the new challenge of integrating these 
employees into the highly demanding work environment of human space 
flight. This is a task that has not existed in recent years. The OSF centers 
are taking various approaches. MSFC has designed a “Marshall 
Beginnings” that looks at leaders, activities, values, and the “New 
Employee Advocate Program” that assigns advocates (coaches) individu 
ally to new employees to provide guidance and advice. A pilot mentoring 
program will be expanded. 

At JSC, an Individual Development Plan is being prepared for each entry- 
level hire. The emphasis is on acquiring hands-on experience in several of 
the engineering directorates. A new orientation program also has been 
developed. KSC has established a center- wide HR council, representing 
all major KSC workforce areas, to determine individual development 
opportunities. Fresh-outs also will be able to acquire hands on experience 
through training partnerships with USA and other contractors. Each 
entry-level employee will be given a specific engineering project to com 
plete within the first six months. Given these varying approaches, the 
Panel has recommended that an assessment be conducted to determine 
the relative success of these initiatives. 

In addition to these integration and orientation activities, there is a grow 
ing need for advanced training of those hired to fill critical skills gaps, as 
well as to provide professional and career development opportunities. 
With the active encouragement of the NASA Administrator, the Agency is 
proposing to increase overall training resources by about 1 7 percent in fis 
cal year 2001 and by 50 percent in fiscal year 2002. Use of these resources, 
however, does not appear to be uniform by the OSF centers. The centers 
also report increased support for employees to acquire the Ph D. degree. 

In summary, the challenge no longer is trying to determine ways of mak 
ing-do with a diminishing workforce. It is the equally demanding task of 
using newly acquired human resources most productively and in a man- 
ner that contributes solidly to NASA’s future success. 



Computer Hardware/Software 


Ref: Findings #14 and #15 

The Software Independent Verification and Validation (IV&V) Facility 
was established in 1994 in Fairmont, West Virginia, to provide a center of 
expertise for independent analytical assessment of software for NASA 
missions. Management of the facility, initially centered at Headquarters, 
was subsequently transferred to the Ames Research Center (ARC). As 
part of the FY 2000 appropriation process, NASA was directed to: 

* Achieve “substantial integration of the IV&V Facility into the NASA 
system” 

* Take advantage of GSFC’s proximity to the IV&V Facility 

* “...report, in conjunction with GSFC and no later than June 1, 2000, 
on what new activities the various NASA Centers are initiating with 
the IV&V Facility.” 


In order to comply more fully with this directive, in March 2000, GSFC 
was directed to develop a Business Plan that included the transition of 
the Facility from ARC to GSFC management. This included a new and 
stronger interpretation of the requirements for IV&V. Each project is now 
required to produce and document a plan that addresses its software 
assurance over the life cycle of its software design and development. 
IV&V of software must be included when deemed appropriate based on 
project cost, size, complexity, life span, risk, and consequences of failure. 
The IV&V Facility was given responsibility for the management of all 
software IV&V within the Agency. 

With the pervasiveness of software in current technology of all kinds, 
nearly every project and program manager will be impacted by this 
requirement. While IV&V can be very important to projects, proper uti- 
lization of it requires careful and early project and budget planning. 
Budgetary and organizational problems often arise when one tries to 
“shoe horn” IV&V in after a project is well under way, especially when an 
external organization at a remote location is involved. However, software 
development, and especially IV&V, processes are relatively new, and few 
program and project managers are familiar with them. Most managers 
simply do not have the training or experience to appreciate the issues and 
benefits involved. If NASA is to be successful in its endeavor to institute 
wide use of IV&V, proper software assurance training of management at 
all levels is necessary. 

Of concern to the Panel is the possibility that the Facility will have to 
assume an enforcement role. If so, it could engender resentment from 
other NASA entities and make the task of incorporating IV&V into proj- 
ects even more difficult. 

The primary focus of the Facility’s activities will be on applying inde- 
pendent verification and validation (V &V) to projects. Only a small part 
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of the Facility’s budget is directed toward research on new V&V tech 
niques. For example, the increasing need for autonomous systems for long 
term and remote missions leads to the use of artificial intelligence 
approaches, such as neural nets and expert systems. Good techniques for 
V&V of such systems have not yet been developed. There is also a need to 
research improved techniques for evaluating the effectiveness of various 
software development and V&V approaches. 

At present, there has not been a focused call for research activities. 
Rather, proposals have been accepted ad hoc and reviewed primarily 
internally. With the separation of the Facility from ARC, a research cen 
ter, care must be taken to ensure that there is a strong research program 
focused on important problems. A long-term plan with adequate funding 
is needed. 
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Ref: Finding #1 6 


Due to numerous attacks by computer hackers, the need for computer 
security has risen to a high level throughout our society NASA is no 
exception and has initiated a number of actions to address this problem. 
The activities instituted include: 1) an Agency wide security training pro- 
gram; 2) a self-evaluation of computer security at all centers; 3) a require- 
ment that security plans be developed for all computer systems; and 4) 
use of a private key infrastructure (PKI) system for all of its computer 
communication. In addition, NASA has retained a private firm to evalu- 
ate computer security at its centers and run penetration tests to ascertain 
the resilience of its critical systems to hostile penetrations. 

In many respects, NASA has made good progress on security plans. 
Security training is proceeding more or less on schedule, and the security 
contractor has completed its evaluation and penetration testing of three 
centers with good results. However, progress in two areas has been lag- 
ging. Problems have arisen with the PKI effort, and NASA has been 
unable to deploy the system as expected. NASA has been working with 
the vendor for a number of months, but problems remain. Second, while 
several NASA centers have completed their computer security plans, a 
number of other NASA centers have not made much progress. 

In terms of operations, it is required that a computer security official be 
appointed for each major computer system. It appears that the computer 
security duties often are added to those of the systems administrators. 
There is concern that these extra duties are not always adequately recog 
nized and rewarded. Also, there is a need to ensure that the security offi 
cers are adequately trained in the techniques and importance of their 
security role. 

While NASA has a strong focus on computer security at this time, securi 
ty must be an ongoing effort. There have been a substantial number of 
hostile attacks during the past year. Such will always be the case. Thus, 
computer security cannot be a one time crash effort. It must be an ongo- 
ing activity that continually examines NASA’s systems and potential 
threats, improves security, and maintains continuing employee training. 
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Ref: Finding #1 7 
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The Software Engineering Institutes (SEI) Capability Maturity Model 
(CMM) is based on the premise that the quality of software is highly influ- 
enced by the quality of the processes that are used to develop it. CMM is 
a five-level model that gauges the extent to which processes are explicit- 
ly defined, managed, measured, controlled, and used to improve software 
and the way it is developed. The five levels define the five stages through 
which organizations pass as they evolve their software processes. CMM 
was introduced in the late 1980s, and has become widely used throughout 
the world as a measure of an organization s ability to develop and deliver 
quality software. 

There are 1 8 key process areas that are used to define the five levels in 
the Software CMM. Each key process area contains goals and best prac- 
tices for achieving those goals. The levels range from 1 (lowest) with poor 
ly defined processes, schedule slips, and cost overruns to level 5 (highest) 
with a quantitative characterization of all software processes, a focus on 
measurable software process improvement, and results that are highly 
predictable. The levels and their primary foci are: 

Level 1. Focus is on competent people who can “save the day.” 

Level 2. Focus is on basic project management of six key process areas: 
requirements management, project planning, project tracking and over 
sight, subcontractor management, quality assurance, and configuration 
management. Plans are based on past experience and results are gener 
ally repeatable. 

Level 3. Focus is on process standardization in seven key process areas. 
The key process areas are: establishing organizational responsibility for 
improving overall software process capability; developing products and 
defining standard processes for improving performance across projects; 
developing appropriate skills through training; integrating software engi 
neering and management activities; defining a product engineering 
process for producing correct, consistent software products; coordinating 
and integrating all contributing groups for improving customer satisfac- 
tion; and conducting peer reviews for detecting defects early in the devel- 
opment cycle. 

Level 4. Focus is on quantitative management. Key process areas are 
measuring and controlling performance of the processes used by the soft- 
ware project and developing a quantitative characterization of the pro- 
jects software product to achieve quality goals. 

Level 5. Focus is on continuous process improvement. Key process areas 
are preventing defects by identifying and eliminating root causes, identi- 
fying and transitioning to new technologies that improve processes, and 
continually evolving software processes to enhance quality, increase pro- 
ductivity, and decrease cycle time. 


At the end of 1999, more than 75 percent of the 870 commercial and gov- 
ernment organizations that had reported their Maturity Level to the SEI 



during a 5-year period were at Level 1 and 2 , more than 17 percent were 
at Level 3, just under 5 percent at level 4, and only 1.8 percent had 
achieved Level 5. Approximately half of these organizations were govern- 
ment agency/military and related contractors. 
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The Multiplexer/Demultiplexers (MDMs) are the principal computers of 
the ISS. They are based upon Intel 386 processors and utilize a 16-bit 
backplane. They also have limited memory by today s standards. The raw 
computing power of the 386 processors is more than an order of magni- 
tude less than current state-of-the-art processors. The use of a 16 bit bus 
reduces throughput of memory accesses by at least a factor of two. This 
latter point is particularly important with respect to input/output opera- 
tions via a separate processor with which the MDM communicates over 
the bus. As the MDMs are the central core of ISS operations, they are safe- 
ty and mission critical components. 

The software running on the MDMs involves several different tasks. 
Scheduling the execution of these tasks in a manner that assures that all 
tasks get done on time is a problem that generally becomes increasingly 
difficult as the utilization of the central processor unit (CPU) increases. 
The requirements for ISS specify that the CPU utilization of the MDMs 
should be no more than 65 percent. Although a reasonable requirement, 
it is proving difficult to achieve. 

Throughout the development history of the ISS software, the utilization of 
the MDMs has been a concern. Recently, utilization problems surfaced 
during MEIT testing. NASA was able to do some clever reprogramming to 
eliminate this particular problem. However, at present the MDM CPU uti 
lization is already at 65 percent. Four major deliveries of ISS software 
remain, each of which is expected to significantly increase the CPU uti 
lization. At present, NASA’s primary strategy for handling these increas 
es that will put utilization far above the 65 percent requirement is to 
depend upon developing code optimizations to reduce the CPU utilization. 
There is no guarantee this approach will succeed. 

A long-term approach to the MDM limitations is to upgrade the CPU to a 
current generation Pentium processor. A contract was awarded to evalu 
ate the possibility of a CPU upgrade, and a report was received in early 
fall 2000. However, NASA is not pursuing any follow-on activity at this 
time. In view of the growing CPU utilization and the likelihood of 
increased demands over the life of the ISS, NASA needs to continue to 
pursue an upgrade to the MDMs as rapidly as possible. With this effort, it 
is important to consider not only the CPU but also the bus structure. 



Extravehicular Activity (EVA) 
and Radiation Protection 


Ref: Finding #19 

For ISS astronauts, the highest percentage of radiation exposure to the 
organs will be from Galactic Cosmic Radiation (GCR), including neutrons. 
Limitations in the operational effectiveness of neutron detectors have 
restricted the ability to characterize neutron spectra and dosage. For 
near-term ISS and Space Shuttle crews, accurate monitoring is essential 
to the understanding of radiobiological effects, in the design of shielding 
and development of operational improvements, and in organ dose projec- 
tions for career records and planning. The requirement will become even 
more critical as humans venture into deep space. 
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Ref: Finding #20 


The current EMU is expensive to maintain, unwieldy, deficient in provid 
ing radiation protection, mechanically complex, not optimized for the 
incorporation of advanced technologies, and operationally limited. 
Utilizing the expertise of U.S. domestic suppliers and technology that 
might be available from international partners, a comprehensive program 
could produce a next generation space suit in about six years. 
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Appendix B 


NASA RESPONSE 
TO ANNUAL REPORT FOR 1999 


SUMMARY 

NASA responded on August 16, 2000, to the “Findings and 
Recommendations” from the 1999 Aerospace Safety Advisory Panel 
Annual Report NASA’s response to each report item is categorized by the 
Panel as “open, continuing, or closed.” Open items are those on which the 
Panel differs with the NASA response in one or more respects. They are 
typically addressed by a new finding, recommendation, or observation in 
this report. Continuing items involve concerns that are an inherent part 
of NASA operations or have not progressed sufficiently to permit a final 
determination by the Panel. These will remain a focus of the Panel’s 
activities during 2001. Items considered answered adequately are 
deemed closed. 

Based on the Panel’s review of the NASA response and the information 
gathered during the 2000 period, the status of the recommendations made 
in the 1999 Aerospace Safety Advisory Panel Annual Report is presented 
on the following pages. 
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Finding and Recommendation # 1: Continuing - Although NASA has 
totally turned around its workforce policy for OSF centers, the gaps in 
critical skills, stress, and schedule pressures will remain until new work 
force additions are trained, integrated, and performing at high levels. In 
addition, retention of critical skills is a continuing problem as employees 
retire or seek greener pastures. Although NASA has resumed hiring, con 
tinuing attrition has resulted in a low net gain of personnel. 

Finding and Recommendation # 2: Continuing - NASA correctly cites 
various new efforts to deal with the problem, but challenges remain. 
Experienced employees in functional directorates have been hesitant to 
transfer their critical skills to the Space Shuttle and ISS programs, 
although this problem appears to be less severe than it was a half-year 
ago. More attractive incentives may be appropriate. Some NASA centers 
continue to report the limited impact of HQ-driven training initiatives. 
NASA-contractor training partnerships need to be assessed. 

Finding/Recommendation #3: Continuing - The effort is off to a good 
start in concept as evidenced by the video “Success in Process Control,” 
but evidence is needed that the renewed attention gets down to subcon 
tractors and vendors. Some NASA established benchmarks would enable 
a measure of results. 

Finding/Recommendation #4: Continuing - Good start but its a 
major undertaking with a long way yet to go. Effort needs an agreed upon 
measure of effectiveness in order to judge success. 

Finding/Recommendation # 5 ; Continuing - NASA reports the begin 
ning of a plan, but its incomplete and funds have yet to be identified. 

Finding/Recommendation #6: Continuing - Hiring is underway, but 
numbers are not up to requirements just yet and KSC is now in an era of 
higher flight rates. Far too early to close the issue. 

Finding/Recommendation #7: Continuing - NASA’s response is 
encouraging but more information is needed on how widespread these 
efforts are. 

Finding/Recommendation #8: Closed - A satisfactory response. 

Finding/Recommendation #9: Closed - A comprehensive response. 

Finding/Recommendation #10: Closed - The Joint NASA-RSA Team 
has certified the modified Russian Solid Fuel Oxygen Generator (SFOG) 
for service in the ISS. NASA also has a certified “off-the-shelf” unit ready 
for service. 

Finding/Recommendation #11: Closed - A satisfactory response. 

Finding/Recommendation #12: Closed - The next generation space 
suit is the subject of a new item for the 2000 Annual Report. 

Finding/Recommendation # 13: Closed - A satisfactory response. 



Finding/Recommendation # 14: Continuing - While the intent 
expressed is in accord with the recommendation, it is the completion of 
the present work that will fully respond to the item. 

Finding/Recommendation # 15: Continuing - NASA’s security pro- 
gram is moving in the right direction. However, it has a long way to go 
before it is complete. 

Finding/Recommendation # 16: Continuing - NASA is moving in the 
direction of funding the upgrades, but the final commitments have not yet 
been made on the category of upgrades addressed. 

Finding/Recommendation # 17: Closed - A satisfactory response. 

Finding/Recommendation # 18: Closed - A satisfactory response. 

Finding/Recommendation #19: Closed - This response is adequate 
assuming the programs referenced are actually continued. 

Finding/Recommendation # 20: Continuing - A new finding on the 
subject is included in the current report. 

Finding/Recommendation #21: Closed - A satisfactory response. 

Finding/Recommendation #22: Closed - The NASA response is ade 
quate. 

Finding/Recommendation #23: Closed - The response is acceptable. 
Finding/Recommendation #24: Closed - A sufficient response. 
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National Aeronautics and 
Space Administration 

Office of the Administrator 

Washington, DC 20546-0001 


AUG I 6 2000 

Mr. Richard D. Blomberg 
Chairman 

Aerospace Safety Advisory Panel 
1010 Summer Street 
Stamford, CT 06905-5503 


Dear Mr. Blomberg: 

In accordance with your request after our February 10, 2000, meeting, enclosed is 
NASA’s response to Section II, “Findings and Recommendations,” from the Aerospace 
Safety Advisory Panel (ASAP) Annual Report for 1999. 

The ASAP’s efforts in assisting NASA to maintain the highest possible safety 
standards are commendable. Your recommendations are highly regarded and continue to 
play an important role in risk reduction in NASA programs. 

We thank you and your Panel members and consultants for your valuable 
contributions. ASAP recommendations receive the full attention of NASA senior 
management. In particular, I expect that NASA’s Office of Safety and Mission Assurance 
will track resolution of these issues as part of their role in independent assessment. 

We welcome the continuance of this beneficial working relationship with the Panel. 




Enclosure 


1999 Aerospace Safety Advisory 
Panel (ASAP) Report 

Findings, Recommendations, and Responses 


WORKFORCE 


Finding #1 

The continuing downsizing at Office of Space Flight Field Centers, cou- 
pled with the effects of the prior hiring freeze and unplanned departures, 
has produced critical skills deficits in some areas, growing workload pres- 
sure and stress levels, and a serious shortfall of younger S&Es. 


Recommendation #1 

NASA must continue to address workforce problems aggressively and 
establish program priorities that ensure a workforce capable of achieving 
long term safe and effective operations. Emphasis should be placed on 
eliminating critical skills shortfalls and recruiting younger S&Es who can 
develop into experienced and skilled future leaders. 
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Response 

NASA concurs with the ASAP recommendation. As a result of the ASAP 
findings and recommendations, as well as other external and internal 
reviews of the workforce, NASA has terminated downsizing at the Office 
of Space Flight (OSF) Centers. All four OSF Centers — the Johnson Space 
Center (JSC), Kennedy Space Center (KSC), the Marshall Space Flight 
Center (MSFC), and the Stennis Space Center (SSC) — are in the midst of 
large-scale efforts to replace skill losses and increase the number of entry- 
level professionals. NASA has a plan in place to hire close to 600 new 
employees in fiscal year (FY) 2000 that will fill some of our most critical 
skill shortages and enable us to begin efforts to rebuild our cadre of future 
leaders. These new critical staff hires are designed to support program 
requirements for Space Shuttle Operations and Upgrades, Space Station 
Development and Operations, Expendable Launch Vehicles, Advanced 
Space Transportation Technology and other Center mission-related and 
administrative requirements. The hiring of these new employees is geared 
to alleviating stress impacts resulting from expanding workload pres- 
sures coupled with continuous downsizing; eliminating critical skill short- 
ages across our programs and Centers; and pursuing fresh out hires to 
revitalize our Science and Engineering (S&E) knowledge base for future 
program and project management responsibilities. In addition, NASA is 



seeking to refocus our workforce composition towards a future-oriented 
research and development base. Specific short-term scientific and engi- 
neering expertise or operations-oriented requirements will be satisfied by 
utilizing nonpermanent term appointments and Intergovernmental 
Personnel Act assignments. In addition, we anticipate the ability to 
replace upcoming losses on a one-for-one basis in the years to come. 

Our hiring capability has sparked renewed enthusiasm throughout JSC, 
KSC, and MSFC, and SSC. Employees and managers are eager to return 
to a time when NASA had a continuing influx of the best and brightest 
graduates in the engineering and science fields. We have carefully 
planned our recruiting strategy to ensure success in achieving this goal. 
To this end, we have identified critical skill shortages and made them our 
top hiring priorities. We have established a goal of hiring 50 to 70 percent 
of new personnel at the entry level in an effort to revitalize our workforce 
with high-caliber, recent graduates. 

NASA’s recruiting efforts are aimed at some of the top engineering and 
business schools in the country, including minority universities. We have 
involved many NASA employees in our recruiting initiative by sending 
them to conduct on-campus interviews with potential candidates. The 
OSF Centers’ rigorous screening process requires that potential employ 
ees possess degrees that are consistent with long-term needs, a minimum 
grade point average of 3.0 (on a 4.0 scale), outstanding references and 
other indicators of high achievement (e.g., extracurricular activities, 
honor society membership, community involvement, and awards). We are 
already seeing hiring results that are on track for meeting these goals. 

aerospace safety 
advisory panel 

annual report for 2000 Finally, the contractor workforce will be enhanced, where appropriate, for 

maintaining safe and effective operations. An example of this is the 
United Space Alliance (USA) initiative to enhance work documentation 
with new technology and off-the-shelf products and still maintain 
increased flight-rate capability. 



Finding #2 


The combination of downsizing losses, hiring restrictions, and transition 
of responsibilities from NASA to contractors, such as USA, continues to 
limit the opportunities for junior and mid-level NASA managers to gain 
the operational knowledge and experience required for continued leader- 
ship in senior management positions. 


Recommendation #2 

Innovative arrangements between NASA and its contractors to provide 
entry-level and mid-level NASA S&Es with operational, “hands-on” expe- 
rience should be strengthened and expanded. Project management train 
ing initiatives, such as the Academy of Program & Project Leadership 
(APPL) , must strive to broaden their outreach to management teams and 
individuals at Field Centers. 


Response 

NASA concurs with the ASAP recommendation. NASA agrees that its 
existing programs and initiatives should be intensified and broadened to 
provide opportunities for hands-on work experiences, not only for new 
hires, but also for all career levels. Providing a broad set of work experi 
ences is key to building leadership capability, and NASA has a number of 
programs in place or in development that will improve our capability to 
do so. Examples include: 

* co-op assignments partnered with contractor systems engineers 

* direct observation or procedure review of critical tasks 

* management of Shuttle launch countdown, launch, and 
landing/recovery 

* participation in flight and ground systems development and enhance- 
ments 

* processing mid-decks, utilization payloads, and partial Shuttle pay- 
loads 

* participation in contractor testing, and anomaly resolution 

* ensuring adequately designed, tested, and assembled hardware 

To allow some of our best junior- and midlevel personnel the opportunity 
to broaden their functional experiences, the Space Shuttle Program Office 
has created rotational opportunities at several Centers where they can 
gain experience at the program level before considering a program office 
job. This early exposure to the significant operational and programmatic 
management challenges will better equip them to serve in future leader- 
ship roles in either a functional-, project- or program-level organization. 

Our current hiring strategy also considers how to develop our leadership 
capability. Placing engineers fresh out of college into hands-on direc- 
torates (i.e., engineering, mission operations, etc.) allows the Agency to 
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move experienced personnel from these line organizations into jobs in the 
program offices where they can build on the experience base they bring 
from functional jobs. 

Formal training opportunities have expanded in recent years. We take 
advantage of opportunities to bring courses to the Centers for intact work 
groups and will increase our use of intact team training and performance 
support tools in the future. 

An example of a unique partnering relationship in the project manage- 
ment training area at JSC has been the Engineering Directorates work 
with Lockheed Martin and the consulting firm of Kepner-Tregoe. Kepner 
Tregoe designed a course specifically tailored to include the NASA process 
for the development of Government Furnished Equipment (GFE) hard- 
ware. Many of the Engineering Directorates civil servant GFE project 
managers participated in sessions with their Lockheed Martin counter 
parts. This experience was extremely beneficial for all involved and can 
serve as a model for the future. 

At the Agency level, our Academy of Program/Project Leadership provides 
developmental training opportunities for future and current program/proj 
ect personnel and additionally provides a full curriculum of courses for per 
sonnel at all levels. The Academy includes 23 courses, performance support 
to intact teams, a project management assessment initiative, web based 
tools for project managers, a knowledge management/best practices initia 
tive, and a project management development competency model for devel 
oping personnel. We have initiated a new option for high performing 
potential project personnel which includes a 1 year development assign 
ment and up to 2 years graduate study at MIT, which provides a dual mas 
ters degree in business and systems engineering. 

Future directions in training and learning for the program and project 
management workforce will take us to using the latest advances in learn 
ing delivery methods and technology, providing team learning directly to 
project and organizational teams, providing individual training empha 
sizing technical and leadership core competencies and skills, and provid 
ing mentoring and coaching for program and project managers. We will 
emphasize and encourage continual learning in the workplace as well as 
academic training in these areas, and we will form alliances with our 
industry and Government partners, encouraging them to also foster sim- 
ilar continual learning efforts within their organizations. Through these 
efforts, NASA and its partners will achieve higher levels of skill in project 
management and leadership. 



SPACE SHUTTLE PROGRAM 


Finding #3 

The Space Shuttle Program Office has instituted a set of Process Control 
Focus Groups whose goal is to implement “best practice” commonality in 
change control procedures across all supplier tiers. 


Recommendation #3 

Focus the active and dedicated support of senior management of the 
major contractors and all their subcontractors on implementing the 
process control “best practices” as soon as feasible. NASA must be fully 
apprised of all process changes even if they result in a product that meets 
requirements. 


Response 

NASA concurs with the recommendation. The Government and Industry 
Process Control Focus Group has been established by the Manager, Space 
Shuttle Program (SSP), and is aggressively developing a coordinated and 
consistent process control program for the SSP. The goal of the Process 
Control Focus Group is to achieve common process change control across 
all program elements. A Process Control Management Plan has been 
developed with formal sign-off by NASA and all prime contractors 
required. Membership of this group includes civil servant representation 
from JSC, KSC, and MSFC and all the Space Shuttle prime contractors. 
The efforts of this group are focused on increasing communication of the 
importance of process change control to all elements of the program 
including subtier suppliers, implementation of best practices, and sharing 
lessons learned among all Shuttle contractors. 

To increase awareness of the SSP emphasis on process control, increased 
communication with the suppliers will be accomplished by several meth- 
ods, including an SSP Process Control video, posters, and brochures. 
These are examples of tools that will be used during motivational visits to 
suppliers by prime contractor and SSP management. 

A process control best practices and lessons learned database is being 
developed by the focus group for use by NASA and the prime contractors 
to share lessons learned and implement the use of best practices across 
the program. This database will include the process/product integrity 
audits and process failure mode and effects analyses (FMEA) mentioned 
in the ASAP report as good process control techniques. Symposiums to 
share in-depth techniques for applying these best practices to different 
business situations are also planned. In summary, establishment of the 
focus group, development of the database, use of a process control video 
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and other tools during NASA and contractor management motivational 
visits to suppliers, and the utilization of symposiums will foster NASA 
process change awareness and focus the major contractors and their sub- 
contractors on implementation of best practices process control. 
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Finding #4 

Although progress has been made to improve the quality, accuracy, and 
traceability of the work instructions (“paperwork” used in the processing 
of Space Shuttle Orbiters) much remains to be done to provide correct and 
unambiguous procedures. There are still too many unincorporated 
changes. 


Recommendation #4 

Efforts to improve the quality, accuracy, and traceability of the work paper 
as well as the timeliness of incorporation of changes to work instructions 
must be given higher priority by both NASA and USA in a coordinated, 
systematic effort. 


Response 

NASA concurs with the ASAP recommendation. During the 1 999 calendar 
year, numerous initiatives were accomplished which established the foun 
dation to improve the quality, accuracy, and traceability of work instruc 
tions. Examples of these initiatives include appointment of a USA 
documentation manager and four dedicated project leads, the creation of 
a new work instruction format and style guide, development of a system- 
atic procedure to perform task and document analysis, development of the 
new work authorization document authoring and validation environment 
(WAVE) computer software to allow engineers to quickly and easily mod 
ify work instructions, and reduction of deviation backlog. With this foun 
dation, priority was given by USA shuttle engineering to establishing a 
Year 2000 Strategic Initiative to “Increase the quality and level of worka 
bility of work authorizing documentation.” In addition, a comprehensive 
Category I Document Evaluation & Restructure (CDER) Plan was estab 
lished to effectively improve the quality, accuracy, and tractability of both 
flight and groundwork instructions. 

The CDER Plan will ensure document simplification as the WAVE soft- 
ware, Maximo, and PeopleSoft initiatives are implemented. Work instruc- 
tions, rewritten to the new standards established in 1999, will include 
restructuring to only include the work steps needed for that specific task 
as defined by the needs of the Maximo Job Plan and PeopleSoft Product 
Structure. Contingency steps, or steps applicable to other hardware, will 
be removed and placed in a separate work instruction package to avoid 
confusion. Also, work instructions that could be in multiple formats due to 
numerous previous contractor requirements will be converted to standard 
formats. Finally, any existing deviations will be incorporated as part of the 
rewrite. The end result will be a smaller, cleaner, concise work instruction 
package, including more graphics and pictures. The procedures will be 
reviewed and agreed to by the end user. This plan has two primary paths- 
-one for flight operations and another for ground operations. The deter- 
mination of which of these paths a work instruction will follow is 
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dependent on the criteria set forth in the PeopleSoft Product Structure 
and the Maximo Job Plan. PeopleSoft and Maximo are management sys- 
tems through which a reduction in the time required to incorporate paper- 
work can be achieved. 

The conversion of documents to PeopleSoft and Maximo will be heavily 
site and flow dependent. The goal is to complete approximately 500 
planned flight hardware processing work instructions for calendar year 
2000, with continued emphasis in subsequent years. Selection of those 
work instructions is based on pre-established criteria involving run fre- 
quency and criticality. By the end of FY 1999, USA had reduced deviations 
approximately 25 percent, from 7,300 to 5,535. A technical standard panel 
has been implemented and is chartered to review errors detected by audit 
teams, determine the root cause of the discrepancies, and take real-time 
action to prevent their re-occurrence. 

Also, the implementation of a distributed authoring approach allows engi 
neers to write their work instructions, provide ownership, control and 
accountability of their work instructions, and increase the number of 
operational maintenance instructions with zero deviations. To allow the 
engineer to make quick and easy incorporation of changes and provide on 
line review and concurrence by USA and NASA prior to the work instruc 
tion being issued to processing operations, a single Universal Test 
Operations Procedure format has been established for all flight docu 
ments in Documentum/PeopleSoft, and a single Job Plan format has been 
developed for all ground documents in Maximo. A standard electronic 
deviation template has also been developed. These actions will assure sue 
cinct, technically accurate, and user friendly work instructions. 



Finding #5 


There is no systematic plan to counter obsolescence and assure the avail- 
ability of adequate facilities, GSE, and specialized test-and-checkout 
equipment throughout the expected lifetime of the Space Shuttle. 


Recommendation #5 

Develop and execute a plan to ensure that all needed support and test- 
and-checkout facilities and equipment are assured available and protect- 
ed from obsolescence for the maximum foreseeable life of the Space 
Shuttle. 


Response 

NASA concurs with the ASAP recommendation. A specific focus on SSP 
infrastructure has been established for FY 2000, identifying issues and 
concerns throughout the program. The SSP initiated an effort in 
November 1999 to develop a plan and identify the requirements and 
resource levels required to address the infrastructure backlog and sup- 
portability needs for the SSP through FY 2012. This effort has incorpo- 
rated all SSP elements and support functions at Office of Space Flight 
Centers and the Dryden Flight Research Center. The completed plan will 
define infrastructure project funding requirements for vital components 
that support or directly impact the SSP. The plan spans across multiple 
years and will address the SSP short-term as well as long-range needs. 
Supporting SSP element infrastructure long-range assessments/plans 
have been completed or are in the process of completion. Two examples of 
SSP element supporting efforts are the Ground Systems Survivability 
Assessment, which addresses obsolescence by providing a component 
level assessment of requirements to maintain or improve existing capa- 
bilities, and the External Tank Projects 15-year plan. The completion of 
the Infrastructure Plan is a major Space Shuttle initiative whose results 
will be included in the Program Operating Plan strategy. The SSP has 
assigned a lead at KSC to formulate the SSP infrastructures upgrades 
requirements. 
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Finding #6 


Space Shuttle processing workload is sufficiently high that it is unrealis- 
tic to depend on the current staff to support higher flight rates and simul- 
taneously develop productivity improvements to compensate for reduced 
head counts. NASA and USA cannot depend solely on improved produc- 
tivity to meet increasing launch demands. 


Recommendation #6 

Hire additional personnel and support them with adequate training. 
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Response 

NASA concurs with the ASAP recommendation. Both NASA and USA rec 
ognize the need to assure adequately staffed and trained personnel for pro 
cessing the Shuttle and, simultaneously, pursue productivity improvements 
that can help meet the planned flight-rate increases. To address this con 
cern, KSC civil servant Shuttle Processing has authorization for additional 
staff, and USA is increasing their workforce at KSC from 3,650 to approxi- 
mately 3,900 to support Shuttle processing. Recruitment for these positions 
is in progress and expected to be completed in FY 2000. Finally, a replen 
ishment rate for FY 2001 has been authorized at KSC, which will permit 
continued infusion of skills to offset anticipated attrition. 



Finding #7 

Due to attrition of experienced personnel, NASA and its contractors are 
assigning more newly trained personnel to Space Shuttle operations 
tasks. This has led to concerns in the workforce regarding the qualifica- 
tions of some newly-assigned personnel. 


Recommendation #7 

NASA and its contractors must ensure that their training, certification, 
and task assignment processes are such that only suitably qualified engi- 
neering and technical personnel are performing Space Shuttle operations. 
Any training and licensing program to certify new personnel must include 
both testing of acquired skills and demonstrated proficiency on the 
assigned task. 


Response 

NASA concurs with the ASAP recommendation. NASA and the contractor 
agree that demonstrated proficiency for operational tasks is a key factor 
to safety and success. NASA and the contractor recognize the direct rela- 
tionship between personnel proficiency and flight safety, and this is 
reflected in the training, certification, and operator assignment processes 
implemented by both NASA and contractor. For ground operations 
involved in processing and operating the Space Shuttle systems, all newly 
hired contractor personnel are provided applicable training for security, 
safety, and the critical skills required for the area and system of their 
assignment. In addition to this general training, contractor personnel 
begin their orientation by becoming familiar with procedures, drawings, 
physical surroundings, etc. Once they have an understanding of these 
requirements, they accompany other experienced, skilled personnel on the 
job performing formal and informal on-the-job-training (OJT). 

In addition to the certification provided upon the successful completion of 
OJT, engineers must also complete Stand Board examinations for critical 
systems. Processing tasks are assigned based on the experience level of 
the employee. Processing tasks are not all equally critical, and newly-cer- 
tified personnel are generally assigned to low criticality tasks. This allows 
the more experienced personnel to focus on critical tasks. Employees are 
required to be recertified on a regular basis. The recertification involves 
varying degrees of proficiency testing based on the functional criticality of 
the task. 

The concerns and needs for assuring that the contractor workforce has the 
appropriate skills and proficiency to perform Space Shuttle processing 
responsibilities are applicable to the NASA civil service workforce as well. 
Training plans are defined for all entry-level technical positions within 
NASA Shuttle Processing. These plans include both formal classroom 
training and OJT packages required for the performance of the NASA 
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Space Shuttle operations role. Newly hired or transferred personnel are 
required to accomplish this training prior to performing unsupervised 
engineering or technical tasks. The supervisor is responsible for assuring 
that the training has been accomplished and adequate proficiency has 
been demonstrated. There is also continuous involvement with critical 
task surveillance, out-of-family disposition, and NASA-retained functions 
to maintain the critical skills of the workforce. While the level of direct 
NASA involvement has decreased with the planned transition of more 
responsibility to the contractor, NASA Shuttle Processing has increased 
its focus on simulation training to augment the need for engineers to 
maintain their knowledge of systems performance and operations. 
Increased utilization of Tier 3 training (integrated simulation training) 
has been implemented. Tier 1 (single system) and Tier 2 (multisystem) 
simulation training is also being planned to ensure proficiency. 
Requirements definition for system development is now complete for Tier 
1/Tier 2 training, and implementation plans are in work. 

In the flight operations area of Space Shuttle support, the Mission 
Operations Directorate and USA have jointly defined and documented 
training and certification criteria for all personnel assigned to mission 
critical functions. These plans are based on the position requirements and 
criticality of the assigned position. The training and certification plans 
and processes are unique for flight designers, training instructors, and 
flight controllers. Personnel are not assigned mission critical responsibil 
ities without having executed formal training and certification plans, as 
well as successfully demonstrating the capabilities consistent with the 
level of responsibility required by the position. Extensive use of simula- 
tions for mission control teams and individual operators is used in both 
the initial certification and the continuous proficiency training of flight 
control operators. Experience level is a critical part of successful flight 
operations. To ensure that training, certification, and task assignment 
processes are such that only qualified personnel are performing Space 
Shuttle operations, NASA uses trending and root-cause analysis of quali 
ty and safety occurrences to indicate those traceable to training process- 
es. This approach allows for a continuous assessment of the process of 
providing qualified personnel for performance of Shuttle processing and 
operations. 

USA has a performance management program to: 1) Ensure communica- 
tion between the employee and management; 2) Ensure that responsibil- 
ities and expectations are clearly understood; 3) Review employee job 
performance; 4) Make recommendations to improve employee job per- 
formance; and 5) Establish a record of the performance achieved by each 
employee. This performance management program is an ongoing process 
of planning, coaching, and reviewing. Management meets with each 
employee to discuss and establish individual objectives, including train- 
ing, each year, and agree on how employee success will be measured. 



INTERNATIONAL SPACE STATION (ISS) 
PROGRAM 


Finding #8 

Acquisition of the ISS Crew Return Vehicle (CRV) has been lagging and 
appears to be facing further delay. The full-crew CRV is needed for long- 
term safe operation of the ISS with a crew larger than three astronauts. 


Recommendation #8 

Take whatever steps are necessary to halt the delays to the CRV program 
without jeopardizing adequate demonstration of safety of design and cer 
tification of human rating. 


Response 

NASA concurs with the ASAP recommendation. Significant progress has 
been made in establishing the CRV project in the last year due to com- 
mitment at all levels within NASA - from the Administrator, the Office of 
Space Flight, JSC, the ISS Program Office, and the X-38/CRV Project 
Office. The original Office of Management and Budget (OMB) decision and 
Congressional markup reduced the project funding in FY 2000, which 
delayed the start of CRV Phase 1 (engineering development through crit- 
ical design review). NASA Headquarters successfully argued for the 
necessity of starting Phase 1 in FY 2000 and obtained OMB concurrence 
to transfer funding to start this phase in late FY 2000. 

The request for proposals for CRV Phase 1 has been released since the 
last ASAP review. Bids have been received from three offerors and are cur 
rently being evaluated. The current evaluation schedule will allow a 
Phase 1 contract award in the August-September 2000 timeframe, and 
the funding is in place. 

In support of this planned CRV Phase 1 start, the X-38 Project Office 
has worked with the Langley Research Center (LaRC), Independent 
Program Assessment Office, to close out all open actions from the LaRC 
independent assessment (IA). Approximately 90 percent of the 110 
“maturity gates” identified by the I A team have been closed to date, and 
an acceptable status of all of the 110 items is expected prior to a final 
Headquarters Program Management Council presentation in July 2000. 
Progress on these items confirms a significant reduction in risk prior to 
the start of Phase 1 . 
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The X-38/CRV prototype project has successfully completed five atmos- 
pheric flight tests and numerous parafoil tests. A major milestone was 
achieved in January 2000, with the first flight test of the full-scale parafoil 



96 


aerospace safety 
advisory panel 
annual report for 2000 


for the space vehicle. This parafoil is the size necessary for a CRV carrying 
seven crewmembers and contains all required design features for a 
human-rated system. This test was conducted without any anomalies, 
demonstrating NASA’s clear understanding of all the basic technical issues 
of parafoil fight as well as our ability to extrapolate from sub-scale testing 
to full-scale testing. The atmospheric vehicle flight tests have demonstrat- 
ed many of the new technologies (lifting-body aerodynamics, flight control 
systems, parafoil deployment, and electromechanical actuators) planned 
for the CRV. A fifth test is scheduled prior to the end of July 2000, which 
will confirm performance characteristics of the improved body shape. In 
addition, the critical element in the CRV navigation system will be tested 
in space aboard the Space Shuttle on STS- 101 in May 2000. A critical CRV 
technology - global positioning system-based attitude determination will 
be demonstrated on this flight. In the aggregate, all of these tests signifi 
cantly reduce the technology risks of the CRV. 

Assembly and testing of the X-38 space test vehicle is proceeding, and the 
first simplex power-up to the vehicle occurred in March 2000, verifying end 
to-end system power. The Space Shuttle program is currently manifesting 
the X-38 space test for April 2002. This will support a start of CRV Phase 2 
(production) at the start of FY 2003, and a CRV operational date in late FY 
2005 to early FY 2006, based on final production funding profiles. 

NASA remains firm in its commitment to review results from the space 
test prior to production. NASA has further established decision logic to be 
used to determine if a space test of the production vehicle will be necessary 
after the X-38 space test. This decision logic will ensure that critical eval 
uation and testing are not compromised by the accelerated CRV schedule. 



Finding #9 

The NASA personnel who are involved in finding solutions for the prob- 
lems of radiation in space have developed an excellent long-range plan to 
define approaches for crew protection. 


Recommendation #9 

Continue to support the nascent, but better defined, radiation effects 
research and development program. 


Response 

NASA concurs with the ASAP recommendation. NASA has focused on 
solutions for the radiation program. Our recommendations include: (1) 
Completing and expanding on efforts made in the May 1999 EVA 
Radiation Protection Summit held at JSC to improve radiation protection. 
This involves development of an active personnel dosimeter to be worn on 
the extravehicular mobility unit (EMU) (first test flight to be in Fall of 
2000), study of possible shielding improvements for EMU and design of 
localized shielding enhancements to ISS, and development of trapped 
radiation models; (2) Increasing coordination between NASA’s Office of 
Life and Microgravity Sciences and Applications, the JSC Radiation 
Health Program, the National Oceanic and Atmospheric Administration 
(NOAA), and NASA’s Office of Space Science on forecasting and monitor 
ing changes in space weather; and (3) Improving coordination of radiation 
protection across NASA. To further the coordination across NASA, Dr. 
Richard Williams, from NASA Headquarters, Office of Life and 
Microgravity Sciences and Applications, has been appointed as head of a 
task group to develop an Agencywide plan to implement this objective. 
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Finding #10 


The Russian Solid Fuel Oxygen Generator (SFOG) is baselined as the 
backup oxygen supply system for the ISS. This device has experienced 
problems in its application on Mir and thus may be a potential safety haz- 
ard when operated on the ISS. 


Recommendation #10 

Examine ways to eliminate the risks posed by the use of the Russian SFOG 
such as by determining the availability of a better, “off-the-shelf,” safety- 
proven SFOG or by initiating an R&D effort to produce a safer alternative. 
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Response 

NASA concurs with the ASAP recommendation. A joint NASA Russian 
Space Agency (RSA) team has completed an investigation of the SFOG 
experience on Mir. The failure mode has been identified and has been repro 
duced and verified during ground tests. The position of the NASA RSA 
team is that the Mir experience was an isolated incident. Units planned for 
use on the ISS have been subjected to lot testing and screening of manu- 
facturing and quality records and test reports. A non flammable contain 
ment system to prevent propagation of a fire has been developed and tested 
as an additional safely enhancement. The conclusion of a joint NASA RSA 
engineering, safety and mission assurance, and program management team 
is that this system is safe for operation on the ISS. 

A parallel effort to develop a commercial off-the-shelf oxygen generation 
system was initiated by NASA during the SFOG failure investigation. 
This system has been certified for use, if necessary. 



EXTRAVEHICULAR ACTIVITY (EVA) 


Finding #11 

The EVA Project Office has several planned initiatives to ensure the 
availability of adequate EVA resources to support the ISS and Space 
Shuttle. These initiatives cover acquisition of material, development of 
procedures, and improved training. 


Recommendation #1 1 

Expedite completion of the planned initiatives related to the safety of EVA 
so that maximum benefit can be realized during the upcoming intensive 
ISS assembly schedule. 


Response 

NASA concurs with the ASAP recommendation. In June 1999, the EVA 
Project Office initiated the development of a small planar hard upper 
torso (HUT) in addition to the medium, large, and extra-large HUTs 
already developed. With four HUT sizes, the broadest range of crewmem 
bers (~5 th percentile Asian female to 95 th percentile Caucasian male) will 
be accommodated. The small planar HUT has successfully completed the 
concept development phase, and the preliminary design review is sched 
tiled for May 2000. The first flight item is on schedule for delivery in 
October 2002. 

Redesign of the (EMU) to allow for on-orbit replacement of a primary life 
support subsystem, HUT, displays and control module, and secondary 
oxygen pack is ahead of schedule to support the ISS 6A flight. The EVA 
Project Office is assessing the feasibility of flying the EMU on-orbit 
replacement unit configuration on ISS flight 5A prior to the need to leave 
an EMU onboard the ISS during 6A. 

Single mission certification for the phase VI glove was accomplished prior 
to ISS flights 2 A and 2A.1. Full certification (up to 19 EVAs) was com- 
pleted in March 2000, approximately 1 year prior to leaving phase VI 
gloves onboard the ISS for ~ 90-day increments. 

Like the phase VI glove, the U.S. Simplified Aid for EVA Rescue (SAFER) 
has flown with single- mission certification on five previous missions. 
Anomalies identified during three of these previous missions - STS 86 
(failed NASA standard initiator (NSI) drive circuit), STS-88 (erroneous 
indication of no remaining gaseous nitrogen), and STS-96 (inadvertent 
NSI firing) - have all been successfully resolved through hardware 
redesign and/or procedures modification. A final anomaly relative to the 
battery gauge, which supports the requirement to remain onorbit contin- 
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uously for 1 year, has been resolved, and the hardware will be certified 
prior to ISS flight 2 A. 2a (STS- 101) in May 2000. 

Development of the Russian SAFER (RSAFER) was transferred to the 
RSA in April 1 999 when they offered to cost share the hardware produc- 
tion and successfully completed the project preliminary design review 
Currendy, the critical design review is planned for FY 2001. One open 
issue to be resolved is the contractual authority to develop the RSAFER. 
The original plan included the RSAFER in the $35M contract modifica- 
tion between NASA and the RSA; however, due to congressional concerns 
this contract modification is currently on hold. The baseline plan to 
launch the RSAFER on ISS flight 7A.1 will need to be readdressed fol 
lowing official contract authority with the RSA. 

Lastly, NASA has successfully completed all of the technical and medical 
work necessary to implement a 2-hour EVA prebreathe protocol from a 
14.7 psi atmosphere. NASA Headquarters has given approval, and plans 
are being developed to demonstrate the 2 -hour protocol procedures (either 
on the ground or as part of a detailed test objective demonstration on ISS 
flight 5A or 6A) prior to implementation on ISS flight 7A when the joint 
airlock is launched. Additionally, decompression sickness contingency 
plans and flight rules have been developed, and crew and flight surgeon 
training has been initiated. 


100 


aerospace safety 
advisory panel 
annual report for 2000 



Finding #12 

The funding of the EVA R&T program is not adequate to provide the max- 
imum safety benefit in terms of new equipment and procedures that lower 
the risk of extravehicular activities. 


Recommendation #12 

Fund a robust EVA R&T program. 


Response 

NASA concurs with the ASAP recommendation. The EVA Project Office 
maintains the EVA technology roadmap defining critical and pacing tech 
nologies for future advancements. Each year, in the budget process, the 
EVA Project Office makes recommendations to the benefiting programs 
when it is prudent to pursue research and technology. In FY 1999, due to 
hardware obsolescence, the Space Shuttle Program approved the redesign 
of the EMU caution and warning system. Additionally, in FY 2000, the 
EVA Project Office is assessing the need to redesign the EMU displays 
and control module, also for hardware obsolescence reasons. Long-term 
cost savings (through FY 2020) may be possible with new spacesuit ele 
ments, and perhaps even a new spacesuit, rather than maintaining the 
current design. 
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COMPUTER HARDWARE/SOFTWARE 


Finding #1 3 

NASA has taken positive steps for upgrading security on the ISS uplink 
by adopting a more robust encryption scheme. The downlink and the links 
between the Mission Control Centers (MCCs) in Houston and Moscow, 
however, are not encoded. 


Recommendation #13 

Conduct an overall threat analysis of the Space Station downlink and its 
interfaces to both MCC Houston and MCC Moscow. 
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Response 

NASA concurs with the ASAP recommendation. The ISS uplink is critical 
to the safety of the ISS and contains encryption and processing safe- 
guards to ensure that it is protected. Automated commanding will not be 
downlinked. If the downlink were compromised, the result would be 
momentary transmission of erroneous data to flight controllers, who 
would resolve the erroneous data prior to responding. The link between 
the Houston and Moscow control centers is a part of the control center 
network and undergoes continuous security analysis and protective 
upgrades. The Security Analysis and Response Team, a multilateral 
ground segment security team chartered by the ISS Programs Ground 
Segment Control Board, conducts this activity. This team initiated an 
analysis of the link between MCC-Houston and MCC-Moscow in 1999, 
and is scheduled to be completed in July 2000. 



Finding #14 


NASA has initiated an agency-wide program to deal with general com- 
puter security Significant parts of NASA’s initial plan depend upon the 
voluntary compliance of system users including contractors. 


Recommendation #14 

Expand the agency-wide security system development work to include 
less dependence on human compliance with the system. NASA should 
also require contractors to participate in its security efforts. 


Response 

NASA concurs with both parts of the recommendation. Regarding less 
dependence on human compliance, all NASA Centers have installed soft 
ware and hardware tools that automatically scan for hostile code, system 
vulnerabilities, and hostile intrusions. These tools are not perfect; they 
require human oversight. However, they do reduce the amount of manu- 
al labor and the amount of human discretion involved in finding and 
dealing with attacks. NASA is exploring with vendors the possibility of 
applying artificial intelligence techniques to identify patterns in intru 
sion detection data that may not be obvious. This field has not yet 
matured to the point that products or services are available, but we are 
hopeful that, in a year or two, prototype products may be available for 
evaluation. These products would reduce the amount of manual analysis 
required to identify attacks, and they would make it easier to correlate 
data from different Centers. 

We also use audits and metric reports to verify that human compliance 
has been adequate. For example, this year we will engage a third party to 
perform a technical audit of IT security provisions at three NASA 
Centers. Metric reports on security plans, training, and system vulnera- 
bilities help us to track performance, thereby reducing discretion in com- 
pliance with NASA policy. 

However, IT security evolves rapidly. New threats must be countered 
manually until they are well enough understood for defense to be auto- 
mated. Thus, we expect to rely on human intellect and energy to identify 
and deal with novel developments. 

Regarding requiring contractors to participate in its security efforts, we 
issued for comments, in January, a draft regulation to be included in the 
NASA supplement to the Federal Acquisition Regulations. This regulation 
would require NASA contractors, who operate computers or network sys- 
tems on behalf of NASA, to adhere to appropriate provisions of NASA poli- 
cies and procedures for information technology security. Comments on 
this draft have been dispositioned, and we expect the final regulation to 
be issued shortly. Also we are including contractors, such as the 
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Consolidated Space Operations Contract, the Outsourcing Desktop 
Initiative for NASA, and the USA vendors, in various fora that coordinate 
IT security across systems operated on behalf of NASA. Although this 
effort is recent, we are seeing good cooperation. We expect integration of 
contractors to help maintain a seamless NASA IT security posture. 
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Finding #15 

Further analysis of NASA’s planned agency- wide computer security sys- 
tem is needed to understand its vulnerabilities and the programs and 
activities to which the system should be applicable. 


Recommendation #15 

Conduct a thorough analysis, together with the National Security Agency, 
to determine the level of computer security required by the Agency, the 
level of security that can be expected from the system and its most seri- 
ous vulnerabilities. Also require all major mission or safety critical pro- 
grams to have a qualified third party conduct a computer vulnerability 
analysis of their designs as soon as possible. 


Response 

NASA concurs in principle with both parts of this recommendation. 
Regarding analysis with the National Security Agency (NS A), we conduct- 
ed a thorough internal study in 1998 to determine the level of required 
computer security, and GAO audited our computer security the same year. 
In addition, we are using a combination of internal audits/tests and third 
party audits/tests to determine our security at a technical level. Our met- 
rics also provides ongoing information about the adequacy of our computer 
security. Finally the NASA Inspector General has made computer securi 
ty a high priority for audits and inspections. Thus, we are not sure that 
adding another layer of analysis by the NS A will add commensurate value. 
Every analysis or audit disturbs ongoing work, and, at some point, addi- 
tional analyses can actually degrade security because they have negative 
marginal value. We will discuss with the NSA what services that they 
could provide, to establish whether contracting with them would add sig- 
nificant value above what is already underway. 

Regarding major mission systems, we believe that there is merit in the rec- 
ommendation but wish to consult with owners of such systems before levy- 
ing this requirement. We require that managers of all “special management 
attention” systems complete IT security plans and provide written authori- 
zation to operate those systems this fiscal year. We expect that all major 
mission or safety critical systems are included among the special manage- 
ment attention systems. Thus, these activities will provide a documented 
baseline for discussion regarding the value of third-party analyses. 
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Finding #16 


NASA has established an Avionics Upgrade Architecture Team (AUAT) 
charged with studying Space Shuttle avionics systems and recommending 
upgrades. The AUAT has conducted a thorough study and developed an 
excellent Block I upgrade plan that addresses the most serious needs, but 
as yet it is unfunded. 


Recommendation #16 

Proceed with full funding for the proposed Block I Space Shuttle avionics 
upgrades as rapidly as possible. 
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Response 

The SSP has two categories of avionics upgrades - safety and supporta 
bility. Both safety upgrades and hardware supportability upgrades meet 
the Agency’s goal of continued and reliable Shuttle operations, with sig 
nificantly reduced safety risks, through at least FY 2012. 

NASA is aggressively developing an Upgrade Program Plan for imple- 
menting the safety upgrades into the Shuttle fleet by FY 2005. These 
upgrades include the avionics changes required to add cockpit displays for 
abort situation awareness, and enhanced caution and warning, which will 
provide information and solutions that will significantly reduce the crew 
workload for complex and/or multiple failures. Funding for the formula 
tion phase (requirement definition and validation, design architecture, 
and subsystem procurement specification) for these upgrades has been 
authorized by the program and is underway. The current NASA SSP 
budget submission also provides for implementation funding. 

Potential avionics supportability upgrades needed to reliably ensure that 
flight-certified hardware is available to support the Shuttle manifest 
through FY 2012 are under review. Ongoing avionics supportability 
upgrade analyses focus primarily on maintenance concerns associated 
with the orbiter integrated communications system. The case for upgrad 
ing the communications system, and the various upgrade options studied 
by the avionics supportability assessment team will be reviewed by the 
program during the POP 2000 planning cycle. 



Finding #17 


Part of the AUAT’s initial approach is to install three mission computers 
to augment the existing General Purpose Computers (GPCs). The specif- 
ic functions to be off-loaded from the GPCs to the mission computers have 
yet to be determined. Eventually the AUAT plans to consider moving 
some “Crit 1” functions to the mission computers. 


Recommendation #1 7 

Do not move any “Crit 1” functions to the mission computers unless mem- 
ory requirements in the GPC demand it and then only after an appropri- 
ate risk analysis is performed. 


Response 

The avionics upgrade architecture has changed substantially since the 
ASAP visit early in 1999 when it contained both safety enhancements and 
supportability solutions. The currently funded content for the avionics 
upgrade addresses only the safety enhancements. These enhancements 
address upgrades to the crew cockpit to reduce crew workload and 
enhance safety margins relative to critical crew procedures. The focus has 
been on improving crew situational awareness through access to all vehi 
cle data, more robust command capability from the keyboards and more 
computational power to perform higher-level functions (such as enhanced 
caution and warning and abort region determination) than previously 
supported. The result is an architecture that replaces the existing multi- 
functional electronic display system integrated display processor with a 
new computer, called the command and data processor, rather than incor 
porating a mission computer. The functions, such as crew commands and 
enhanced caution and warning that are now supported by the avionics 
architecture, are considered Crit land will be certified to Crit 1 levels. The 
new processor has many of the attributes of the mission computer concept 
presented to the ASAP, including support for an aerospace ground equip- 
ment interface for flight computer data access. 
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Finding #18 


The long-term support of the International Partners with respect to soft- 
ware source code is essential to the safe operation of the ISS and the res- 
olution of any software- related anomalies. 


Recommendation #18 

Solidify long-term source code maintenance and incident investigation 
agreements for all software being developed by the International Partners 
as quickly as possible, and develop contingency plans for all operations 
that cannot be adequately placed under NASA’s control. 


Response 

The International Partners have all agreed to provide sustaining engi 
neering support for their software throughout the life of the ISS, and the 
ISS Program will add this agreement to the multilateral ISSP Software 
Management Plan. In addition, NASA has established contingency plans 
for dealing with the loss of critical partner assets. 
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AEROSPACE TECHNOLOGY 


Finding #19 

Programs such as the non-defunct High Speed Research and Advanced 
Subsonic Technology often yield aircraft safety improvements. 
Elimination of these programs may well be inimical to advances in avia- 
tion safety 


Recommendation #19 

Identify those elements of the eliminated programs which had the poten- 
tial to improve aviation safety and cover them elsewhere. 


Response 

NASA concurs with this recommendation. NASA has retained the ele- 
ments in the High Speed Research and Advanced Subsonic Technology 
program that have a potential to improve aviation safety. For example, a 
major element of HSR was the external vision system that was being 
developed to allow pilots to see forward without drooping the nose of a 
high speed civil transport. This technology, being developed in HSR for 
clear weather applications, was transferred to the Synthetic Vision proj 
ect in the Aviation Safety program. The technology will be developed to 
enable all weather applications. 

Additionally, two projects of the Advanced Subsonic Technology program 
were transferred to the Aviation Systems Capacity program. They are 
Terminal Area Productivity (TAP) and Advanced Transportation 
Technology (AATT). TAP is developing technologies to demonstrate safe , 
clear weather capacity during instrument weather conditions. AATT is 
developing technology to enable substantial increases in the effectiveness, 
efficiency, capacity, flexibility, predictability, and safety of the national and 
global air transportation system. 
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Finding #20 


The involvement of Center Directors in aviation flight readiness, flight 
clearance, and aviation safety review board matters is not uniformly 
satisfactory. 


Recommendation #20 

Underscore the need for Center Directors to become involved personally 
in aviation flight readiness, flight clearance, and aviation safety review 
board matters. 
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Response 

Each Center that operates aircraft for research or program support has 
established and maintains an airworthiness and flight safety review 
process board consistent with the level of aircraft modification activity 
which takes place at the Center. Additionally a requirement exists that 
every NASA Aviation Safety Officer have a formally established direct 
line of communication with the Center Director. These processes and their 
implementation are inspected at each biennial Intercenter Aircraft 
Operations Panel (IAOP) Review of the Center s flight operations activi 
ties. The Center Director is debriefed at the end of each review. The IAOP 
will increase the emphasis on the need for the Center Director to remain 
personally involved in airworthiness and aviation safety matters. 



Finding #21 


NASA’s responsibilities with regard to aviation flight safety when a con- 
tractor conducts flights and/or provides payloads are not clearly defined. 


Recommendation #21 

Define more explicitly the safety responsibilities of NASA Centers when 
conducting, supervising, or participating in contractor-operated aviation 
flight and payload operations. 


Response 

NASA’s responsibilities concerning the conduct of contract flight opera- 
tions have been clearly defined in an Office of Management Systems 
Interim Policy Letter, dated 7 Jun 99, which establishes responsibilities 
and actions required when non NASA aircraft are used to support NASA 
research requirements. This interim policy has been entered into the for 
mal NASA Policy and Guideline system. The policy places the responsi 
bility for review of all contracts, flight operations plans, and supervision 
of those activities directly with the Center’s Flight Operations Office. If 
the Center has no such office, the NASA Headquarters Aircraft 
Management Office, in conjunction with the appropriate Enterprise, will 
assign the responsibility to the most suitable NASA Flight Operations 
Office. 
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Finding #22 


The chain of safety responsibility for the operation of the Stratospheric 
Observatory for Infrared Astronomy (SOFIA) aircraft is complex and 
unclear. 


Recommendation #22 

Sort out and clear up the SOFIA chain of flight operations safety respon 
sibility. 
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Response 

The chain of flight operations safety responsibility of SOFIA is as follows: 
Within NASA, the Center Director at the Ames Research Center (ARC), 
the designated Lead Center for SOFIA, has the responsibility to ensure the 
safety of SOFIA, including flight operations. The Center Director has a 
Safety and Mission Assurance (S&MA) Office, which ensures that Agency 
policies for safety are followed, as well as an Airworthiness and Flight 
Safety Review Board (AFSRB), which provides specific oversight for air 
craft airworthiness. These two mechanisms for safety oversight report 
directly to the Center Director and work closely and regularly with the 
SOFIA Program Office at ARC, which directs the SOFIA contractor team. 
An experienced NASA Flight Operations Manager for SOFIA carries the 
responsibility within the SOFIA Program Office to ensure that safety of 
flight operations receives the utmost attention in contractor activities. 

Further details follow, starting from the lowest level to show the founda 
tion of flight operations safety embodied in the SOFIA program wherein 
aircraft operations will be performed by United Airlines (UAL). 

The first level of aircraft operational safety responsibility, working from the 
bottom up, is that SOFIA aircraft operations and maintenance will be accom- 
plished by UAL, the SOFIA contractor for aircraft operations, under UAL 
Operations/Specifications, which meet or exceed the operations rules estab- 
lished by appropriate Federal Aviation Regulations (FAR), Airworthiness 
Directives, and Service Bulletins. The program will be overseen and certified 
by the FAA for FAR compliance. Appropriate clearance and signoffs, as man 
dated by UAL Operations/Specifications, will be the responsibility of UAL. 

NASA policy also requires effective NASA oversight for safety. This is 
accomplished by NASAs Ames Research Center (ARC) as the designated 
Lead Center within NASA for SOFIA. At ARC, as with programs at other 
NASA Centers, the Center Director delegates overall program manage- 
ment for SOFIA to the SOFIA Program Manager, reporting directly to the 
Center Director to ensure visibility. 

Directly supporting the SOFIA Program Manager is the NASA Flight 
Operations Manager for SOFIA, experienced in aircraft flight operations and 



qualified to make routine SOFIA flight operations approval decisions. This 
individual, a senior experienced operations expert and pilot, also has the cur- 
rent responsibility for ensuring that that appropriate expertise in flight 
operations and flight safety is incorporated into the current design and 
development of SOFIA and into the planning for SOFIA flight operations. 

In addition, to ensure matters of safety and airworthiness receive the utmost 
attention and visibility, the ARC Center Director has in place two other mech 
anisms. First, there is an independent Safety and Mission Assurance (S&MA) 
Office at ARC that works closely with the SOFIA Program Office, but reports 
directly to the Center Director and has direct ties to the NASA Headquarters 
S&MA Office to ensure overall Agency policy on safety is followed. This ARC 
S&MA Office has direct and on going access to the ground and flight opera- 
tions activities of the SOFIA contractor team. 

Second, the ARC Airworthiness and Flight Safety Review Board (AFSRB) 
provides airworthiness oversight for SOFIA aircraft modifications and 
mission equipment installations. The AFSRB reviews the SOFIA aircraft 
design, related technical analysis, development testing and all associated 
documentation, and provides airworthiness recommendations to the 
Center Director for conduct of test flights, for initiating routine flight 
operations, and for reinitiating flight operations following any subse 
quent, significant aircraft modifications. 

Concurrence in the approval of development and checkout flights will be 
required from both the AFSRB and the Head of the ARC S&MA Office. 

Safety oversight as structured above by ARC management was previous 
ly agreed to by the NASA Headquarters Office of Management Systems 
(Code J), with the cognizance and concurrence of the NASA Headquarters 
Offices of Space Science (Code S) and S&MA (Code Q). 

In a more recent organizational change prompted by an internal NASA 
review, ARC is establishing an Aviation Management Office to have cer 
tain management responsibilities for all aircraft operations at ARC, rec- 
ognizing that two non-NASA organizations (U.S. Army and U.S. Forest 
Service) also conduct flight operations at ARC. The details of these 
responsibilities, and in particular their inter-relationship with the previ- 
ously approved oversight structure for SOFIA outlined above, are under 
development at this time. 
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Finding #23 


In planning for SOFIA operations, aviation safety and flight personnel 
have had minimal involvement. 


Recommendation #23 

Involve cognizant aviation safety and flight personnel in SOFIA planning 
and development on a routine basis. 


114 


aerospace safety 
advisory panel 
annual report for 2000 


Response 

The SOFIA Program has maintained involvement of aviation safety and 
flight personnel, from both NASA and UAL, from the beginning of devel 
opment. However, to ensure that no potential problem areas are over 
looked, the program has recently taken steps to increase the involvement 
of aviation safety and flight personnel. 

The SOFIA prime contractor has elevated senior aviation operations 
experts into the operations planning process during the development 
phase. Also, additional senior aviation operations personnel at UAL, the 
major subcontractor assigned the role for aircraft operations, have been 
brought into the process and have had input into training and operations 
issues. Further, the level of inclusion of the NASA SOFIA Flight 
Operations Manager, a senior and experienced operations expert and 
pilot, concerning development and operations plans has also increased, as 
has the degree of communication on such matters with the NASA SOFIA 
Program and Project Managers. 

SOFIA is approximately 2 1/2 years from the start of operational flights. 
If additional measures are determined to be necessary to ensure adequate 
involvement of aviation safety and flight personnel, for instance as the 
responsibilities and staffing of the newly created ARC Aviation 
Management Office are clarified, they will be implemented. 

A further step that has been taken at NASA Headquarters is the estab 
lishment of a SOFIA External Independent Readiness Review (EIRR) 
Team by the Associate Administrator for Space Science. EIRRs are used 
by NASA to support the responsible Associate Administrators oversight 
of approved programs, wherein a small team is formed of highly knowl 
edgeable specialists from organizations external to the program, and in 
most cases, external to NASA. Although the scope of the SOFIA EIRR is 
intentionally broad to cover such program issues as science utility, engi- 
neering integration, and mission risk, a third of its membership represent 
detailed expertise in aircraft flight safety and operations, reliability and 
safety analysis, and modification and FAA certification. Although only in 
place since March of this year, their input has already proven valuable to 
the SOFIA program, and will continue to provide an additional check that 
proper attention is paid to operations and safety concerns. 



Finding #24 


As currently configured, the SOFIA aircraft does not contain avionics con- 
sistent with best practices for international operations. 


Recommendation #24 

Ensure that the SOFIA aircraft is configured in accordance with prevail- 
ing international airline avionics practices. 


Response 

The SOFIA 747SP is outfitted with the avionics it had when it was built. 
These will be updated consistent with future air navigation require- 
ments and UAL fleet plans. UAL is committed to operating SOFIA safe- 
ly and efficiently as they do for all aircraft in their fleet. SOFIA will 
satisfy all Federal Aviation Regulations and ICAO requirements and 
will be operated under UAL Operations/Specifications. The critical ele- 
ments of the cockpit avionics configuration, as well as plans for future 
upgrades, are undergoing final determination in preparation for the 
Critical Design Review. 
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Appendix C 


AEROSPACE SAFETY ADVISORY 
PANEL ACTIVITIES 


JANUARY-DECEMBER 2000 


JANUARY 

January 12-13, 2000 - League City, TX, NASA Research 2000 Leadership 
Summit 

January 18-19, 2000 - Kennedy Space Center, STS-99 Flight Readiness 
Review 


FEBRUARY 

February 8-10, 2000 - NASA Headquarters, ASAP Annual Meeting 
February 1 1 , 2000 - Goddard Space Flight Center, Fact-Finding 
February 22-25, 2000 - Johnson Space Center, Payload Safety Conference 
February 28, 2000 - Johnson Space Center, USPM Safety TIM 
February 29, 2000 - Johnson Space Center, Fact-Finding 
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MARCH 

March 1-2, 2000 - Johnson Space Center, USPM Safety TIM 
March 15-17, 2000 - Kennedy Space Center, Fact-Finding 
March 21-22, 2000 - San Antonio, TX, Space Station Program 
Management Review 

March 23, 2000 - NASA Headquarters, Panel Administration (Meet with 
Mr. Goldin) and SOFIA Briefing 


APRIL 

April 3-6, 2000 - Johnson Space Center, ICM TIM 

April 4-5, 2000 - Kennedy Space Center, STS 101 Flight Readiness 
Review 

April 4-6, 2000 - Johnson Space Center, ICM Safety TIM 
April 22-25, 2000 - Kennedy Space Center, STS- 101 Prelaunch Mission 
Management Team Review and Launch 
April 25-27, 2000 - Huntington Beach, CA, Propulsion Module Delta 
Preliminary Design Review 



MAY 


May 9, 2000 - Kennedy Space Center, Space Station Program Integrated 
Logistics Panel Meeting 

May 16-18, 2000 - Marshall Space Flight Center, Plenary Session 

JUNE 

June 1, 2000 - West Palm Beach, FL, Pratt and Whitney, Fact-Finding 
June 6, 2000 - Palmdale, CA, The Boeing Company, Fact-Finding 
June 7, 2000 - Jet Propulsion Laboratory, Fact-Finding 
June 8, 2000 - El Segundo, CA, The Aerospace Corporation, Fact-Finding 
June 20-21, 2000 - Langley Research Center, Fact-Finding 
June 22, 2000 - NASA Headquarters, Meeting with Mr. Rothenberg, Mr. 
Hawes, and Mr. Holloway 

June 27-28, 2000 - Johnson Space Center, Computer Team Visit 


118 


aerospace safety 
advisory panel 
annual report for 2000 


JULY 

July 7, 2000 - Kennedy Space Center, USA Independent Assessment 
Team 

July 1 1 , 2000 - NASA Headquarters, CRV PMC 
July 19-20, 2000 - Wallops Flight Facility, Fact-Finding 
July 25, 2000 - Ames Research Center, Fact-Finding 
July 31 , 2000 - Kennedy Space Center, Fact-Finding 


AUGUST 

August 1 , 2000 - Kennedy Space Center, Fact-Finding 
August 2, 2000 NASA Headquarters, CRV Meeting 
August 8-10, 2000 - Johnson Space Center, Plenary Session 
August 14, 2000 - NASA Headquarters, Fact-Finding 
August 14-17, 2000 - Waco, TX, Stratospheric Observatory for Infrared 
Astronomy Critical Design Review 

August 29, 2000 - Kennedy Space Center, STS- 106 Flight Readiness 
Review 


SEPTEMBER 

September 11-12, 2000 - Dryden Flight Research Center, Fact-Finding 
September 12, 2000 - West Palm Beach, FL, Pratt and Whitney, Alternate 
Fuel Turbopump DCR 

September 14, 2000 - NASA Headquarters, Fact-Finding 
September 21-22, 2000 - NASA Headquarters, Fact-Finding 
September 28, 2000 - Kennedy Space Center, STS-92 Flight Readiness 
Review 

September 29, 2000 - Kennedy Space Center, ISS Program Status, 
Development, and Operations Meeting 



OCTOBER 


October 5-6, 2000 - Dry den Flight Research Center, Fact-Finding 
October 10-11, 2000 - Kennedy Space Center, Fact-Finding 
October 10 12, 2000 - Ames Research Center, Design for Safety 
Conference 

October 17, 2000 - Stennis Space Center, Fact-Finding 
October 18, 2000 - Michoud Assembly Facility, Fact-Finding 
October 25, 2000 - Kennedy Space Center, Logistics-Suppliers Conference 
October 30, 2000 - Johnson Space Center, Computer Security Debrief 


NOVEMBER 

November 8, 2000 - Johnson Space Center, Meeting with Mr. Holloway 

November 9-10, 2000 - NASA Headquarters, Plenary Session 

November 14, 2000 - Marshall Space Flight Center, Integrated Logistics 
Panel Meeting 

November 17, 2000 - Kennedy Space Center, STS-97 Flight Readiness 
Review 

November 20, 2000 NASA Headquarters, Meeting with Mr. Goldin 

November 28, 2000 - NASA Headquarters, Meeting with Ms. Novak 

November 29-30, 2000 - NASA Headquarters, Editorial Committee 
Meeting 

November 29-30, 2000 - Boeing Huntington Beach, CA, Crew Escape 
System Final Concept Review 

November 29-30, 2000 - Goddard Space Flight Center, Software 
Engineering Workshop 

November 30, 2000 - Kennedy Space Center, Final Briefing of USA 
Independent Assessment Team 
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DECEMBER 

December 13, 2000 - NASA Headquarters and Telecon, Editorial 
Committee Meeting 






